<div dir="ltr">Hi download a tar from this emerging threaths <a href="https://rules.emergingthreats.net/open/suricata-5.0/">https://rules.emergingthreats.net/open/suricata-5.0/</a> and Zeek has loaded all signature (29670) excluding pcre option from suricata rule, but i included (content,ip,port,flow,nocase of content etc), and Zeek rose correctly.<br><div>Yes, I know they are tools that are made to work in parallel, but these are the design requirements.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno gio 23 apr 2020 alle ore 15:29 Richard Bejtlich <<a href="mailto:richard@corelight.com">richard@corelight.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Vincenzo,<div><br></div><div>I am not a developer, so I can't comment on the programming aspects. However, from what little I know about the optimizations and use cases for Zeek compared to Suricata, it makes sense to run each tool in the manner for which it was designed. </div><div><br></div><div>In other words, depending on the number of signatures you want to port to Zeek, and that they work as expected, it's possible you will cripple your Zeek deployment. Can you tell us a little bit more about your expected use case? It might be better to just run both tools in parallel.</div><div><br></div><div>Sincerely,</div><div><br></div><div>Richard</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 23, 2020 at 8:38 AM Vincenzo <<a href="mailto:vincyforce@gmail.com" target="_blank">vincyforce@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I am working on a suricata signature converter and converting them for Zeek, starting from this development <a href="https://github.com/adi928/brocata" target="_blank">https://github.com/adi928/brocata</a> (which currently does not work), and I am doing various bug fixing and expanding it.<br>But I have only one problem, it concerns the conversion of the rules containing the suricata pcre into expressions compatible with zeek ("flex").<br> has anyone ever approached this development and could you give me some advice?<br><div><br></div><div>Anyone knows other development for this scope?</div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Richard Bejtlich<div>Principal Security Strategist, Corelight</div><div><a href="https://corelight.blog/author/richardbejtlich/" target="_blank">https://corelight.blog/author/richardbejtlich/</a><br></div></div></div></div></div></div></div>
</blockquote></div>