[Bro] RE : bro signature http-request double encoded cause FN ?
Vlad Grigorescu
vladg at cmu.edu
Mon Aug 20 08:16:24 PDT 2012
Hi rmkml,
First off, let me just thank you for all the work you've been doing recently. I think a lot of people are interested in integrating additional intelligence sources (like Emerging Threats) into Bro.
However, I'm concerned that a lot of your work seems to be based on just passing content through a bunch of regular expressions. A few others have also expressed concern with this approach. As a result, I think most people here are wary to try your scripts on their clusters. Even a 10% slowdown translates to one or two extra 16-core machines that would need to be added to the cluster in some places. Apart from that, at least to me, this approach goes against a lot of the Bro philosophy. If people just wanted basic signature-matching, they'd use one of the many much more simplistic tools out there. With Bro, this is really viewed as intelligence instead of an amalgamation of signatures.
Personally, I think you'd get much more interest if you could just create a text-file with known bad user-agents from the Emerging Threats sigs. I think that's a good place to start, and once that's in place, we can help you figure out the best way to extend that to domain names, URIs, filenames, etc.
Just my 2 cents on why all the time you've been investing into this isn't getting the interest and response one would expect.
--
Vlad Grigorescu
Senior Information Security Engineer
Carnegie Mellon University
On Aug 20, 2012, at 10:43 AM, "rmkml at yahoo.fr" <rmkml at yahoo.fr>
wrote:
> Hi,
> Nobody interested please ?
> Regards
> Rmkml
>
>
>
> rmkml a écrit :
>
> Hi,
> ok it's long time I don't worked on bro signature "language",
> but Im back today and Im start few tests:
>
> 0) web test without encoding : /abc
> OK, detected by http-request /.*\/abc.*/
>
> 1) http utf8 simple encoded like /ab%63
> OK, detected by http-request /.*\/abc.*/
>
> 2) http utf8 double encoded like /ab%2563
> NOT detected by http-request /.*\/abc.*/
>
> Anyone confirm this ?
> Maybe need switch a variable, where ?
>
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list