[Bro] Emerging Threats signatures on Bro ids ?

Martin Holste mcholste at gmail.com
Thu Aug 16 12:30:26 PDT 2012


If you start with the intel that filename x=bad, then you could have
an internal Bro generation that extends the filename to URI.  So, some
of the URI information would be specific to URI patterns etc., but
some would be autogenerated at runtime by Bro:

pseudo-spec:
{
  type: FILE,
  filename:foo
}

Synthesizes this additional check:

{
  type: HTTP,
  uri: foo
}

On Thu, Aug 16, 2012 at 2:20 PM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 16, 2012, at 2:55 PM, Martin Holste <mcholste at gmail.com> wrote:
>
>> So, here's the intel feed I'd want:
>> {
>>  host:<some bad hostname pattern, e.g. 'example.com'>
>>  uri: <some bad URI pattern, e.g. 'in.cgi'>
>>  uri_params: <array of URI parameters that constitutes "badness",
>> e.g. [ 'id', 'os', 'affid' ]
>>  headers: <hash of header content of badness, e.g. { 'user-agent': 'Presto' },
>>  etc...
>> }
>>
>> As you can probably see, yara would be a great fit for something like this.
>
>
> Haha.  That's actually fairly nice and similar to how Bro's existing signature language works already (we have a number of special keywords besides "payload"), but the problem that I see is where you know a file name that you know is being used by malicious actors and you'd like to watch for that filename anywhere.  You're really looking to just insert the filename as intelligence and watch everywhere that file names are found.
>
> You do make a good point though that reapplying our signature language to intelligence correlation might be a good idea.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>




More information about the Bro mailing list