[Bro] Emerging Threats signatures on Bro ids ?
rmkml
rmkml at yahoo.fr
Mon Aug 13 17:13:38 PDT 2012
starting hard works...
question please: it's possible to detect POST and uri (/abc) and argument (arg=test) ?
example:
POST /abc HTTP/1.0
...
\r\n
\r\n
arg=test
not work but like:
("POST"==c$http$method)&&(/\/abc/ in c$http$uri)&&(/arg\=test/ in c$http$body????)
Regards
Rmkml
On Mon, 13 Aug 2012, rmkml wrote:
> ok Im look on user-agent ET sigs.
> Regards
> Rmkml
>
>
> On Mon, 13 Aug 2012, Seth Hall wrote:
>
>>
>> On Aug 13, 2012, at 12:38 PM, rmkml at yahoo.fr wrote:
>>
>>> This is why I need feedback please.
>>
>> Oh! I forgot to include an alternate approach I thought of. If you are
>> still interested in going down this route, could you start by pulling out
>> malicious software user-agents from the ET signatures?
>> That's something that would fit well and easily into Bro right now and
>> into the intelligence framework in the future.
>>
>> What do you think about that? We can certainly start small with very well
>> defined goals and move from there.
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>>
>
More information about the Bro
mailing list