[Bro] Signature Matching Performance

Justin Azoff JAzoff at albany.edu
Fri May 4 05:37:42 PDT 2012


On Fri, May 04, 2012 at 10:00:59AM +0200, Chris wrote:
> On 04.05.2012, at 09:27, Seth Hall <seth at icir.org> wrote:
> 
> > On May 4, 2012, at 3:21 AM, Chris wrote:
> > 
> >> Hence, it might happen that e.g. a signature for a http request type might end up as /.*GET\ / although that obviously isn't what one would usually go for.
> > 
> > Are you trying to auto convert snort signatures?
> 
> No, I'm just trying to generate some signatures on my own. With a lot of leading .* hehe
> Well I guess I have to rethink the idea a bit ;)

If you have a large list of urls what you want to do is generate a set
of those urls ...

    redef bad_urls += {
        "http://bad.example.com",
        "http://evil.example.com",
        ...
    }

then in a policy somewhere you can simply do

    if(url in bad_urls)
        ...

If you still need a regular expression then you can build up a single pattern
like this:

    redef bad_urls =
          /bad\.example\.com\/some_regex_here/
        | /evil\.example\.com/;

and then use it like this

    if(bad_urls in url)
        ...


both methods will be a huge improvement over building multiple
signatures.

-- 
-- Justin Azoff
-- Network Security & Performance Analyst



More information about the Bro mailing list