[Bro] Signature Matching Performance
Justin Azoff
JAzoff at albany.edu
Fri May 4 05:37:42 PDT 2012
On Fri, May 04, 2012 at 10:00:59AM +0200, Chris wrote:
> On 04.05.2012, at 09:27, Seth Hall <seth at icir.org> wrote:
>
> > On May 4, 2012, at 3:21 AM, Chris wrote:
> >
> >> Hence, it might happen that e.g. a signature for a http request type might end up as /.*GET\ / although that obviously isn't what one would usually go for.
> >
> > Are you trying to auto convert snort signatures?
>
> No, I'm just trying to generate some signatures on my own. With a lot of leading .* hehe
> Well I guess I have to rethink the idea a bit ;)
If you have a large list of urls what you want to do is generate a set
of those urls ...
redef bad_urls += {
"http://bad.example.com",
"http://evil.example.com",
...
}
then in a policy somewhere you can simply do
if(url in bad_urls)
...
If you still need a regular expression then you can build up a single pattern
like this:
redef bad_urls =
/bad\.example\.com\/some_regex_here/
| /evil\.example\.com/;
and then use it like this
if(bad_urls in url)
...
both methods will be a huge improvement over building multiple
signatures.
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list