[Bro] Emerging Threats signatures on Bro ids ?
rmkml at yahoo.fr
Mon Aug 13 17:13:38 PDT 2012
starting hard works...
question please: it's possible to detect POST and uri (/abc) and argument (arg=test) ?
POST /abc HTTP/1.0
not work but like:
("POST"==c$http$method)&&(/\/abc/ in c$http$uri)&&(/arg\=test/ in c$http$body????)
On Mon, 13 Aug 2012, rmkml wrote:
> ok Im look on user-agent ET sigs.
> On Mon, 13 Aug 2012, Seth Hall wrote:
>> On Aug 13, 2012, at 12:38 PM, rmkml at yahoo.fr wrote:
>>> This is why I need feedback please.
>> Oh! I forgot to include an alternate approach I thought of. If you are
>> still interested in going down this route, could you start by pulling out
>> malicious software user-agents from the ET signatures?
>> That's something that would fit well and easily into Bro right now and
>> into the intelligence framework in the future.
>> What do you think about that? We can certainly start small with very well
>> defined goals and move from there.
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
More information about the Bro