[Bro] Emerging Threats signatures on Bro ids ?

rmkml rmkml at yahoo.fr
Wed Aug 15 09:14:12 PDT 2012


Hi,
Im continue to update (user-agent actually) converting (open-gpl) Emerging Threats signatures:
  http://88.191.140.111/et_bro2_14aug_pb.bro
It's work.

but when I de-comment/enable these two lines on et_bro2_14aug_pb.bro:
  228: else if ( (/[gG][oO][oO][gG][lL][eE][bB][oO][tT]/ in c$http$user_agent) && sid2015529 && (et_currents || et_useragent) )
  229: NOTICE([$conn=c, $note=EmergingThreats, $msg=fmt("[1:2015529:1] ET CURRENT_EVENTS Googlebot User-Agent Outbound (likely malicious)")]);

bro produce an error:
  bro20 -C -r testbro.pcap et_bro2_14aug_pb
  error in policy/et_bro2_14aug_pb.bro, line 229: memory exhausted, at or near "("

Only for test, continue to enabled lines 228 and 229, but comment/disable previous lines 224 and 225, bro fire on my test...
maybe it's a internal memory related pb on bro ?

Anyone known this pb and how to fix please?
Regards
Rmkml

http://twitter.com/rmkml



More information about the Bro mailing list