This raises a question that I've been wondering since poring over the 1.4 manual regarding how well Bro greps packets. Specifically, the manual says that signatures are off by default and that the grepping is per-packet with no stream reassembly capabilities. It also appears that there's no particularly fancy pattern matching engine under the hood, indicating that matching on full snaplengths for many signatures produces high load. I haven't measured this myself, so I'm wondering if this is the case. Does anyone have any statisical (or anecdotal) evidence as to how many sigs can run under a subnet with mostly web client traffic?<br>
<br>Thanks,<br><br>Martin<br><br><div class="gmail_quote">On Thu, Apr 16, 2009 at 12:19 PM, Seth Hall <span dir="ltr"><<a href="mailto:hall.692@osu.edu">hall.692@osu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Tim,<br>
<div class="im"><br>
On Apr 16, 2009, at 12:13 PM, Tim Rupp wrote:<br>
<br>
> Is there an event I can hook that would allow me to do a regex on the<br>
> raw bytes of a packet if I knew the hex pattern of the bytes I want to<br>
> match?<br>
<br>
<br>
</div>If you want an example of working with signatures and policy script, I<br>
went ahead and added a script for detecting SSN leakage that works by<br>
having a signature that is subsequently handled in policy script. It<br>
uses a list of known US SSNs for your organization and filters out<br>
false positives by using that list. We've caught quite a few minor<br>
violations with this script since we started running it.<br>
<br>
Here's the policy script:<br>
<a href="http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn-exposure.bro" target="_blank">http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn-exposure.bro</a><br>
<br>
The corresponding signature definition file is here:<br>
<a href="http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn.sig" target="_blank">http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn.sig</a><br>
<br>
Let me know if you have any problems understanding what's happening<br>
between the signature definition and the policy script. That simple<br>
interaction is a little muddied by the rest of the script.<br>
<br>
.Seth<br>
<br>
---<br>
<font color="#888888">Seth Hall<br>
Network Security - Office of the CIO<br>
The Ohio State University<br>
Phone: 614-292-9721<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
Bro mailing list<br>
<a href="mailto:bro@bro-ids.org">bro@bro-ids.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</a><br>
</div></div></blockquote></div><br>