[Bro] raw bytes question

Martin Holste mcholste at gmail.com
Thu Apr 16 11:44:01 PDT 2009

This raises a question that I've been wondering since poring over the 1.4
manual regarding how well Bro greps packets.  Specifically, the manual says
that signatures are off by default and that the grepping is per-packet with
no stream reassembly capabilities.  It also appears that there's no
particularly fancy pattern matching engine under the hood, indicating that
matching on full snaplengths for many signatures produces high load.  I
haven't measured this myself, so I'm wondering if this is the case.  Does
anyone have any statisical (or anecdotal) evidence as to how many sigs can
run under a subnet with mostly web client traffic?



On Thu, Apr 16, 2009 at 12:19 PM, Seth Hall <hall.692 at osu.edu> wrote:

> Hi Tim,
> On Apr 16, 2009, at 12:13 PM, Tim Rupp wrote:
> > Is there an event I can hook that would allow me to do a regex on the
> > raw bytes of a packet if I knew the hex pattern of the bytes I want to
> > match?
> If you want an example of working with signatures and policy script, I
> went ahead and added a script for detecting SSN leakage that works by
> having a signature that is subsequently handled in policy script.  It
> uses a list of known US SSNs for your organization and filters out
> false positives by using that list.  We've caught quite a few minor
> violations with this script since we started running it.
> Here's the policy script:
> http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn-exposure.bro
> The corresponding signature definition file is here:
> http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn.sig
> Let me know if you have any problems understanding what's happening
> between the signature definition and the policy script.  That simple
> interaction is a little muddied by the rest of the script.
>   .Seth
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090416/f183a147/attachment.html 

More information about the Bro mailing list