I'm a Bro newbie, so please forgive me if this is a trivial question. I'm experimenting with the signature module and did the following simple test: Using the file "ntp-attack.trace" in the example-attacks directory in the bro-pub-0.8a86 release. I used this signature file
Try using /.*version/. The regexp is matched starting with the first
byte of the payload.