signatures

Zeek
1

(Last one for today, I promise)

Given these two signatures:

signature s2b-1939-4 {
  ip-proto == udp
  dst-port == 67
  # Not supported: byte_test: 1,>,6,2
  event "MISC bootp hardware address length overflow"
  payload /\x01/
}

signature s2b-1940-3 {
  ip-proto == udp
  dst-port == 67
  # Not supported: byte_test: 1,>,7,1
  event "MISC bootp invalid hardware type"
  payload /\x01/
}

We see both of them (which I'm about to ignore), but I don't understand
why one is triggered over the other.

Thanks,
Dop

2

It's definitely best to get rid of both of those signatures. They aren't even matching what they claim to be matching because of those "Not supported" lines. It's just an internal implementation detail as to which one gets triggered because the signature engine is going to look to see which one matched and it will trigger the first one that it finds and then stop.

Pretty much anything that says "s2b" (snort2bro) will be gone from the next release and can even currently can be ignored. The snort2bro code has already been completely removed from the work repository

  .Seth