[Bro] Emerging Threats signatures on Bro ids ?
seth at icir.org
Wed Aug 15 19:36:56 PDT 2012
On Aug 15, 2012, at 7:17 PM, rmkml <rmkml at yahoo.fr> wrote:
> ok please found Five alpha release update (open-gpl) Emerging Threats signatures :
I think there are some fundamental issues at play here, and integrating the EmergingThreats signatures in this manner is probably not the right way to go.
Some comments on the script:
- That et_performancepenalty variable won't really help since just handling the packet_content event is what will cause most of the overhead.
- Your other variables such as sid2014029, et_trojan, and et_useragent are not actually providing any benefit because you aren't ordering the conditions correctly to allow for short circuiting.
- You are accessing c$http$user_agent inside of http_header event handlers which will have several problems by itself. That variable won't be filled out until the user-agent header is seen which means you will be filling the reporter log with a lot of error messages and possibly causing memory leaks because the event handler will be failing due to an attempt to access a null field in the record. It's also something that could just be checked at a later point (like in http_message_done).
Those three big issues were just from a quick glance through the code. There are better and more flexible ways of approaching this, but a big part of the problem is the way the intelligence from emerging threats is distributed is not suitable as-is for Bro right now.
The best thing that could come out of our community now is guidance for EmergingThreats on how to provide their data in a way that is less product specific. The signatures are written for Snort and Suricata; trying to jam them into Bro without thinking hard about the problem is probably going to be a waste of effort unfortunately.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro