[Bro] regular expressions in bro signatures (payload)

Aashish Sharma aashish at uiuc.edu
Fri Apr 29 12:46:46 PDT 2005 

Hello All: 

I have been trying to port some bleeding-edge snort signatures to bro to detect bots on the network. I used s2b or snort2bro.pl script to convert these snort signatures to bro format but the script ignores pcre (perl competible regualar expression) directive and comments its out (refer the signature below)  

signature sid-2001787 {
  ip-proto == tcp
  src-ip != local_nets
  dst-ip == local_nets
  # Not supported: pcre: /(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|!scan [0-9]{1,3}\.[0-9]{1,3}|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup))/i
  event "BLEEDING-EDGE TROJAN IRC Bot scan/exploit command"
  tcp-state established
  }

How I can (or cannot) use regular expressions in payload directive in bro signatures ? Can you guys point me to a writeup or man page  for this ?  

I see other (converted) signatures do have payload directive which uses regualar expressions but those are fairly straight forward RE searches. Is it possible to create constructs using "or" ( "|"), "{}", "[]", ()  etc in payload section of signatures ? In other words, how can I port the pcre payload check (above signature) as regualar expression for payload to bro ? 

Also, are RE in signatures case sensitive too ? 

Thanks a lot for the help. 

Aashish Sharma 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050429/9bfef2e2/attachment.bin

More information about the Bro mailing list