[Bro] Emerging Threats signatures on Bro ids ?

Seth Hall seth at icir.org
Thu Aug 16 12:20:10 PDT 2012

On Aug 16, 2012, at 2:55 PM, Martin Holste <mcholste at gmail.com> wrote:

> So, here's the intel feed I'd want:
> {
>  host:<some bad hostname pattern, e.g. 'example.com'>
>  uri: <some bad URI pattern, e.g. 'in.cgi'>
>  uri_params: <array of URI parameters that constitutes "badness",
> e.g. [ 'id', 'os', 'affid' ]
>  headers: <hash of header content of badness, e.g. { 'user-agent': 'Presto' },
>  etc...
> }
> As you can probably see, yara would be a great fit for something like this.

Haha.  That's actually fairly nice and similar to how Bro's existing signature language works already (we have a number of special keywords besides "payload"), but the problem that I see is where you know a file name that you know is being used by malicious actors and you'd like to watch for that filename anywhere.  You're really looking to just insert the filename as intelligence and watch everywhere that file names are found.

You do make a good point though that reapplying our signature language to intelligence correlation might be a good idea.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list