Signature payload matching

Hi,

Once a signature has been written, compiled and matched against a traffic. I noticed that sometimes there are entries in signatures.log and notice.log, sometimes there is only entries in notice.log.

I didn’t change default settings for signatures.bro yet (no local site configuration). I wonder when (cases) bro is told to write to signatures.log.

Thanks.

Rodrigue

Can you send an example including the entries in the logs and the
signatures?

Robin

The matches reported in auto/signatures.log and auto/notices.log are
the same as far as I can see. And I don't see any reported in test/*.
So not sure what the problem is?

Robin

What I wondered is why nothing is reported for test.sig.
The payload is not the same, I do agree. But I don’t understand why it failed to detect it in the trafic.

Thanks in advance.