Node: Add a New Signature, Next: Editing Existing Signatures, Previous: Turning Signatures ON/OFF, Up: Signatures
To add a new signature to a running Bro, add the signature to the file
site/site.sigs
(or create a new .sig
file in that directory),
and then restart Bro using "$BROHOME/etc/bro.rc checkpoint
".
A sample signature looks like this:
signature formmail-cve-1999-0172 { ip-proto == tcp dst-ip == 1.2.0.0/16 dst-port = 80 http /.*formmail.*\?.*recipient=[^&]*[;|]/ event "formmail shell command" }
For more details, see the reference manual.