[Bro] Emerging Threats signatures on Bro ids ?

Seth Hall seth at icir.org
Wed Aug 15 19:36:56 PDT 2012

On Aug 15, 2012, at 7:17 PM, rmkml <rmkml at yahoo.fr> wrote:

> ok please found Five alpha release update (open-gpl) Emerging Threats  signatures :

I think there are some fundamental issues at play here, and integrating the EmergingThreats signatures in this manner is probably not the right way to go.

Some comments on the script:

    - That et_performancepenalty variable won't really help since just handling the packet_content event is what will cause most of the overhead.  

    - Your other variables such as sid2014029, et_trojan, and et_useragent are not actually providing any benefit because you aren't ordering the conditions correctly to allow for short circuiting.

    - You are accessing c$http$user_agent inside of http_header event handlers which will have several problems by itself.  That variable won't be filled out until the user-agent header is seen which means you will be filling the reporter log with a lot of error messages and possibly causing memory leaks because the event handler will be failing due to an attempt to access a null field in the record.  It's also something that could just be checked at a later point (like in http_message_done).

Those three big issues were just from a quick glance through the code.  There are better and more flexible ways of approaching this, but a big part of the problem is the way the intelligence from emerging threats is distributed is not suitable as-is for Bro right now.

The best thing that could come out of our community now is guidance for EmergingThreats on how to provide their data in a way that is less product specific.  The signatures are written for Snort and Suricata; trying to jam them into Bro without thinking hard about the problem is probably going to be a waste of effort unfortunately.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list