[Bro] Emerging Threats signatures on Bro ids ?
vladg at cmu.edu
Fri Aug 10 16:48:21 PDT 2012
As Martin said, that would be a good start, and would provide everyone with some very useful data. Longterm, however, I think that this is a perfect fit for the upcoming intelligence framework. As I understand it, the goal of that framework is to separate the scripting layer from the intelligence layer (so, you have a user-agent analyzer script, which reads good or bad user agents from the intelligence layer. Your script stays nice and clean, and your intelligence can just be presented in a logical way, and be processed by the script into something useful).
Unfortunately, Emerging Threats doesn't present the intelligence in a logical way, and it's preprocessed for Snort. What I'd love to see is ET just provide *data*, and then you have a script to convert it to a format Snort understands, Bro processes it into something it understands, and so on.
tl;dr: I think it'd be very useful to have this data, but I don't think anyone should sink too much time into it until the intel framework comes out.
On Aug 10, 2012, at 6:33 PM, Martin Holste <mcholste at gmail.com>
> Your best bet would be to try to convert the ET USER_AGENTS signatures
> and modify them for inclusion in
> . That would be a good start.
> On Fri, Aug 10, 2012 at 7:19 PM, rmkml <rmkml at yahoo.fr> wrote:
>> Anyone interested for supporting / converting Emerging Threats [ET] signatures on Bro IDS ?
>> - convert on regexp bro format (if threats are easy)
>> - or better convert to a bro powerful language... (more complex threats)
>> Not a automatic converter, need (long long) review all signatures for understand threats and use better (bro) converter...
>> What do you think ?
>> Im interested if anyone are running futur bro+ET direct feedback... (FP, FN, performance....)
>> Happy Detect with Bro, Suricata and Snort.
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
More information about the Bro