[Bro] How to do with Bro 2.1
Seth Hall
seth at icir.org
Wed Oct 10 19:00:11 PDT 2012
On Oct 10, 2012, at 9:19 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
> Thanks. You're correct, what I want to happen appears to be happening.
>
> Is it a horrible idea to change the signatures? I was curious about
> adding more client verbs in HTTP to detect webdav, and or adding an
> additional http client sig that operates on UDP mostly for upnp
> detection.
You could just write your own signatures (remembering that we don't recommend modifying scripts in base/) and load it in local.bro. I'll give an example…
In a file named localdpd.sig:
signature my_dpd_http_client {
ip-proto == tcp
payload /^[[:space:]]*(PUT)[[:space:]]*/
tcp-state originator
}
signature my_dpd_http_server {
ip-proto == tcp
payload /^HTTP\/[0-9]/
tcp-state responder
requires-reverse-signature my_dpd_http_client
enable "http"
}
Then in local.bro:
@loads-sigs ./localdpd.sig
If you find that some of your signature additions are valuable, then we would certainly be willing to integrate them into Bro. I think this provides us a good way of trying things out first. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list