[Bro] Emerging Threats signatures on Bro ids ?
rmkml
rmkml at yahoo.fr
Fri Aug 17 16:18:03 PDT 2012
Hi,
ok please found Six alpha release update (open-gpl) Emerging Threats
signatures, I have switched to bro signature language:
http://88.191.140.111/et_bro2_16aug.sig
You can start bro like this:
bro -i eth0 -s et_bro2_16aug.sig
Features:
-previously used bro powerful language, now use bro signature language!
-update to last Emerging Threats 16 Aug 2012
-contains only 111 sig at this time, work in progress
-bro signature language use regular expression (like juniper/onesecure) need rewrite signature
-remember bro tcp reassembly only first 1k for performance reason, check dpd_buffer_size
Im always interested if you have comments/feedback/flame/performance/FP/FN please.
Futur work:
1) use Dynamic Port Detection (not static port)
1) use local_net / external_net
2) split signature per category files
3) find case insensitive more "simplify" regexp ?
4) create on new dns parser like dns-request on bro signature language
More information on Bro Signature Language:
http://bro-ids.org/documentation/signatures.html
Regards
Rmkml
http://twitter.com/rmkml
More information about the Bro
mailing list