Signature payload matching


Once a signature has been written, compiled and matched against a traffic. I noticed that sometimes there are entries in signatures.log and notice.log, sometimes there is only entries in notice.log.

I didn’t change default settings for signatures.bro yet (no local site configuration). I wonder when (cases) bro is told to write to signatures.log.



Can you send an example including the entries in the logs and the


The matches reported in auto/signatures.log and auto/notices.log are
the same as far as I can see. And I don't see any reported in test/*.
So not sure what the problem is?


What I wondered is why nothing is reported for test.sig.
The payload is not the same, I do agree. But I don’t understand why it failed to detect it in the trafic.

Thanks in advance.