8.2.1.4 Context conditions

Context conditions pass the match decision on to various other components of Bro. They are only evaluated if all other conditions have already matched. The following context conditions are defined:

eval policy function

The given policy function is called and has to return a boolean indicating the match result. The function has to be of the type function cond(state: signature_state): bool. See \f{fig:signature-state} for the definition of signature_state.

          type signature_state: record {
              id: string;          # ID of the signature
              conn: connection;    # Current connection
              is_orig: bool;       # True if current endpoint is originator
              payload_size: count; # Payload size of the first pkt of curr. endpoint
              };
     

Figure 8.1: Definition of the signature_state record

ip-options

Not implemented currently.

payload-size comp_integer

Compares the integer to the size of the payload of a packet. For reassembled TCP streams, the integer is compared to the size of the first in-order payload chunk. Note that the latter is not well defined.

same-ip

Evaluates to true if the source address of the IP packets equals its destination address.

tcp-state state-list

Poses restrictions on the current TCP state of the connection. state-list is a comma-separated list of established (the three-way handshake has already been performed), originator (the current data is send by the originator of the connection), and responder (the current data is send by the responder of the connection).