Node: Add a New Signature, Next: Editing Existing Signatures, Previous: Turning Signatures ON/OFF, Up: Signatures
To add a new signature to a running Bro, add the signature to the file
site/site.sigs (or create a new .sig file in that directory),
and then restart Bro using "$BROHOME/etc/bro.rc checkpoint".
A sample signature looks like this:
signature formmail-cve-1999-0172 {
ip-proto == tcp
dst-ip == 1.2.0.0/16
dst-port = 80
http /.*formmail.*\?.*recipient=[^&]*[;|]/
event "formmail shell command"
}
For more details, see the reference manual.