[Bro] Emerging Threats signatures on Bro ids ?

Seth Hall seth at icir.org
Thu Aug 16 12:09:45 PDT 2012

On Aug 16, 2012, at 2:28 PM, Matt Jonkman <jonkman at emergingthreats.net> wrote:

> We tried this years ago as I mentioned, and the impact we had on
> performance wasn't good. What is essentially the approach we need to
> take to put the same intel into a form Bro can use effectively? Do we
> have to not think "one bro sig == one suricata sig"?

It's even a bit further than that I'm afraid.  The problem is that in the case of many of your rules you have some intelligence in them, but it's encoded with the implicit assumption that you are just scanning a byte stream (in most cases at least).  

Since I work best in very concrete term, I'll give some examples of signatures and how they could be reapplied into general intelligence that we could more easily consume…

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:12;)

What that rule is really doing is looking for file names matching the regular expression…

The first version of the intelligence framework in Bro won't support regular expressions unfortunately, but hopefully it will eventually.  The data would be included into Bro like this (this is made up right now, just to get the idea across):

	[$pattern=/^DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip$/, $subtype=Intel::FILENAME, $expected_in=Intel::EMAIL]

If you had a full filename to match it might look like this…

	[$str="DHL.zip", $subtype=Intel::FILENAME, $expected_in=Intel::EMAIL]

By feeding in intelligence this way we can suddenly reuse that information to start doing these matches in other protocols and in ways that you didn't originally expect.

Another example:

#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/codec/197.exe"; nocase; reference:url,doc.emergingthreats.net/2010056; classtype:trojan-activity; sid:2010056; rev:3;)

This would be:
	[$glob="*/codec/197.exe", $subtype=Intel::URL, $expected_in=Intel::URL]

I will say there are plenty of examples in your set now that we don't yet have a great answer for, but we're considering how to make those work as well.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list