[Bro] Unicode Parser??
robin at icir.org
Mon Apr 28 09:57:07 PDT 2008
On Mon, Apr 28, 2008 at 07:54 -0400, Dr. Aaron J. Ferguson wrote:
> Can Bro be configured to look for Unicode code points in network traffic
> then execute event-oriented analyzers that compare the activity with
> patterns known bad traffic?
One could write a signature to detect Unicode. The signature match
would raise an event which can then be further analyzed for whatever
indicators the known patterns rely on.
Not sure if this is what you looking for. Perhaps you could give us
a bit more context?
> I saw a reference language called BINPac that may be able to do
> this. Thoughts?
Binpac is high-level language to write parsers for application-layer
protocols. A Binpac parser wouldn't look for unicode itself; it
could however further analyze a specific application which uses
Unicode. See http://www.icir.org/robin/papers/imc06.pdf for more
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro