[Bro] RE : bro signature http-request double encoded cause FN ?

Vlad Grigorescu vladg at cmu.edu
Mon Aug 20 08:16:24 PDT 2012 

Hi rmkml,

First off, let me just thank you for all the work you've been doing recently. I think a lot of people are interested in integrating additional intelligence sources (like Emerging Threats) into Bro.

However, I'm concerned that a lot of your work seems to be based on just passing content through a bunch of regular expressions. A few others have also expressed concern with this approach. As a result, I think most people here are wary to try your scripts on their clusters. Even a 10% slowdown translates to one or two extra 16-core machines that would need to be added to the cluster in some places. Apart from that, at least to me, this approach goes against a lot of the Bro philosophy. If people just wanted basic signature-matching, they'd use one of the many much more simplistic tools out there. With Bro, this is really viewed as intelligence instead of an amalgamation of signatures.

Personally, I think you'd get much more interest if you could just create a text-file with known bad user-agents from the Emerging Threats sigs. I think that's a good place to start, and once that's in place, we can help you figure out the best way to extend that to domain names, URIs, filenames, etc.

Just my 2 cents on why all the time you've been investing into this isn't getting the interest and response one would expect.

--
Vlad Grigorescu
Senior Information Security Engineer
Carnegie Mellon University

On Aug 20, 2012, at 10:43 AM, "rmkml at yahoo.fr" <rmkml at yahoo.fr>
 wrote:

> Hi,
> Nobody interested please ?
> Regards
> Rmkml
> 
> 
> 
> rmkml a écrit :
> 
> Hi,
> ok it's long time I don't worked on bro signature "language",
> but Im back today and Im start few tests:
> 
> 0) web test without encoding : /abc
> OK, detected by  http-request /.*\/abc.*/
> 
> 1) http utf8 simple encoded like /ab%63
> OK, detected by  http-request /.*\/abc.*/
> 
> 2) http utf8 double encoded like /ab%2563
> NOT detected by  http-request /.*\/abc.*/
> 
> Anyone confirm this ?
> Maybe need switch a variable, where ?
> 
> Regards
> Rmkml
> 
> http://twitter.com/rmkml
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list