[Bro] Emerging Threats signatures on Bro ids ?

rmkml rmkml at yahoo.fr
Wed Aug 15 16:17:38 PDT 2012


Hi,

ok please found Five alpha release update (open-gpl) Emerging Threats  signatures :

  http://88.191.140.111/et_bro2_14aug.bro
   -bypassed "memory exhausted" pb with if loop (w/o else if) at this time
   -72 new signatures (total 124)
   -use different pattern matching regexp or not
   -disabled by default sig performance penalty with et_performancepenalty variable

Im always interested if you have comments/feedback/flame/performance/FP/FN  please.
Enable or disable variable in bro script reduce number sigs (et_useragent, et_malware, et_currents, et_dns, et_trojan...).

Futur work:
1) I have a small pb on this bro powerful language:
   -I have used a global variables (sid2015596...) for http_header because my test on pcap fire four times for each signature.
2) find case insensitive more "simplify" regexp ?
3) adding local_net / external_net...
4) how to match POST http_method with argument ?

Regards
Rmkml

http://twitter.com/rmkml



More information about the Bro mailing list