[Bro] Emerging Threats signatures on Bro ids ?

Vlad Grigorescu vladg at cmu.edu
Fri Aug 10 16:48:21 PDT 2012

Hi Rmkml,

As Martin said, that would be a good start, and would provide everyone with some very useful data. Longterm, however, I think that this is a perfect fit for the upcoming intelligence framework. As I understand it, the goal of that framework is to separate the scripting layer from the intelligence layer (so, you have a user-agent analyzer script, which reads good or bad user agents from the intelligence layer. Your script stays nice and clean, and your intelligence can just be presented in a logical way, and be processed by the script into something useful).

Unfortunately, Emerging Threats doesn't present the intelligence in a logical way, and it's preprocessed for Snort. What I'd love to see is ET just provide *data*, and then you have a script to convert it to a format Snort understands, Bro processes it into something it understands, and so on.

tl;dr: I think it'd be very useful to have this data, but I don't think anyone should sink too much time into it until the intel framework comes out.


On Aug 10, 2012, at 6:33 PM, Martin Holste <mcholste at gmail.com>

> Your best bet would be to try to convert the ET USER_AGENTS signatures
> and modify them for inclusion in
> https://github.com/grigorescu/bro-scripts/blob/9d59a7a482b068304a2d33a3c9c8dc696c176650/scripts/http-exe-bad-attributes.bro
> .  That would be a good start.
> On Fri, Aug 10, 2012 at 7:19 PM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>> Anyone interested for supporting / converting Emerging Threats [ET] signatures on Bro IDS ?
>> - convert on regexp bro format (if threats are easy)
>> - or better convert to a bro powerful language... (more complex threats)
>> Not a automatic converter, need (long long) review all signatures for understand threats and use better (bro) converter...
>> What do you think ?
>> Im interested if anyone are running futur bro+ET direct feedback... (FP, FN, performance....)
>> Happy Detect with Bro, Suricata and Snort.
>> Regards
>> Rmkml
>> http://twitter.com/rmkml
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list