When I run Bro with this signature, I was able to see a log for the packet
that matches the pattern first.i.e., the packet with
abc or xyz (whichever comes first) gets logged and the rest doesn't generate
a log.
Only one pattern matches always and the others go unnoticed.
Is there anything wrong in writing the 'OR' condition?
Yes, this should be written instead as:
payload /.*(abc)|(xyz).*/
Or, if you want to match "abc" or "xyz" anywhere in the payload, as:
payload /.*(abc|xyz).*/
I wrote the same pattern in the payload, only the first packet that matches
the
pattern (either 'abc' or 'xyz')gets logged.
Bro checks for the pattern in each packet, so I should have got logs for all
the packets
that has atleast one of the patterns.
When I run Bro with this signature, I was able to see a log for the packet
that matches the pattern first.i.e., the packet with
abc or xyz (whichever comes first) gets logged and the rest doesn't generate
a log.
Only one pattern matches always and the others go unnoticed.
Is there anything wrong in writing the 'OR' condition?
I believe what's going on is that "payload" is matching the TCP *byte-stream*
rather than individual packets. As such, there's just one match to the
pattern, since the .*'s eat up everything else in the byte-stream.
There's an option to just match packet payloads, but I don't recall what
it is. I've cc'd Robin since he's the expert on the signature engine.
I believe what's going on is that "payload" is matching the TCP *byte-stream*
rather than individual packets. As such, there's just one match to the
pattern, since the .*'s eat up everything else in the byte-stream.
That's right.
There's an option to just match packet payloads, but I don't recall what
it is.
No, there is no option (UDP is matched packet-wise but even for UDP
Bro reports each signature-match only once per UDP flow).