Hello,
It seem to be hard to do pattern-matching in Bro to find out a pattern in
normal packets (packets that don't init/terminate an event; or aren't in
part of protocol's command like "STOR xxx" in FTP but in content of file
xxx). For example, I want to alert any attemp of using command "su" on a
Telnet session; alert if any file uploaded via FTP that contains pattern of
a Worm...
Am I right if I say Bro only pays attention to "special" packets like those
above? If I'm not, please, drop me an example of policy script for the
Telnet case mentioned above./.
Hope to receive yours reply soon.
PS: I'm using Bro v0.6
----------------------------------------------------------------------------
----------
Trinh Anh Tuan
CMO/CFTI - Institute of Technology Research & Application
Ministry of Science, Technology and Environment
Tel: (84-4) 8541197
Fax: (84-4) 8548187
Hello,
It seems very hard for me to understand the event queue mechanism in Bro, unfortunately, it is very important part in packet processing.
Does any body can drop me hints? Descriptions? Schema?...
Many thanks to all responses.
--------------------------------------------------------------------------------------
Trinh Anh Tuan
CMO/CFTI - Institute of Technology Research & Application
Ministry of Science, Technology and Environment
Tel: (84-4) 8541197
Fax: (84-4) 8548187