[Bro] Emerging Threats signatures on Bro ids ?
rmkml at yahoo.fr
Wed Aug 15 09:14:12 PDT 2012
Im continue to update (user-agent actually) converting (open-gpl) Emerging Threats signatures:
but when I de-comment/enable these two lines on et_bro2_14aug_pb.bro:
228: else if ( (/[gG][oO][oO][gG][lL][eE][bB][oO][tT]/ in c$http$user_agent) && sid2015529 && (et_currents || et_useragent) )
229: NOTICE([$conn=c, $note=EmergingThreats, $msg=fmt("[1:2015529:1] ET CURRENT_EVENTS Googlebot User-Agent Outbound (likely malicious)")]);
bro produce an error:
bro20 -C -r testbro.pcap et_bro2_14aug_pb
error in policy/et_bro2_14aug_pb.bro, line 229: memory exhausted, at or near "("
Only for test, continue to enabled lines 228 and 229, but comment/disable previous lines 224 and 225, bro fire on my test...
maybe it's a internal memory related pb on bro ?
Anyone known this pb and how to fix please?
More information about the Bro