[Bro] Emerging Threats signatures on Bro ids ?
rmkml
rmkml at yahoo.fr
Sat Aug 18 17:35:11 PDT 2012
Hi,
ok please new release update (open-gpl) Emerging Threats signatures to Bro Signature langage:
http://88.191.140.111/et_bro2_17aug.sig
You can start bro like this:
bro -i eth0 -s et_bro2_17aug.sig
Features:
-update to last Emerging Threats 17 Aug 2012
-contains only 269 sig at this time, work in progress
-bro signature language use regular expression (like juniper/onesecure) need rewrite ET signature
-remember bro tcp reassembly only first 1k for performance reason, check dpd_buffer_size
Im always interested if you have comments/feedback/flame/performance/FP/FN please.
Futur work:
1) use Dynamic Port Detection (not static port)
2) use local_net / external_net
3) split signatures per category files
4) find case insensitive more "simplify" regexp ?
5) create on new dns parser like dns-request on bro signature language
More information on Bro Signature Language:
http://bro-ids.org/documentation/signatures.html
Regards
Rmkml
http://twitter.com/rmkml
More information about the Bro
mailing list