[Bro] Emerging Threats signatures on Bro ids ?

rmkml rmkml at yahoo.fr
Fri Aug 17 16:18:03 PDT 2012


ok please found Six alpha release update (open-gpl) Emerging Threats 
signatures, I have switched to bro signature language:

You can start bro like this:
  bro -i eth0 -s et_bro2_16aug.sig

-previously used bro powerful language, now use bro signature language!
-update to last Emerging Threats 16 Aug 2012
-contains only 111 sig at this time, work in progress
-bro signature language use regular expression (like juniper/onesecure) need rewrite signature
-remember bro tcp reassembly only first 1k for performance reason, check dpd_buffer_size

Im always interested if you have comments/feedback/flame/performance/FP/FN please.

Futur work:
1) use Dynamic Port Detection (not static port)
1) use local_net / external_net
2) split signature per category files
3) find case insensitive more "simplify" regexp ?
4) create on new dns parser like dns-request on bro signature language

More information on Bro Signature Language:



More information about the Bro mailing list