Node: Add a New Signature, Next: , Previous: Turning Signatures ON/OFF, Up: Signatures



Add a New Signature

To add a new signature to a running Bro, add the signature to the file site/site.sigs (or create a new .sig file in that directory), and then restart Bro using "$BROHOME/etc/bro.rc checkpoint".

A sample signature looks like this:

signature formmail-cve-1999-0172 {
       ip-proto == tcp
       dst-ip == 1.2.0.0/16
       dst-port = 80
       http /.*formmail.*\?.*recipient=[^&]*[;|]/
       event "formmail shell command"
       }

For more details, see the reference manual.