[Bro] How to do with Bro 2.1
Mike Sconzo
sconzo at visiblerisk.com
Wed Oct 10 19:06:55 PDT 2012
Perfect, thanks!
On Wed, Oct 10, 2012 at 9:00 PM, Seth Hall <seth at icir.org> wrote:
>
> On Oct 10, 2012, at 9:19 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
>
>> Thanks. You're correct, what I want to happen appears to be happening.
>>
>> Is it a horrible idea to change the signatures? I was curious about
>> adding more client verbs in HTTP to detect webdav, and or adding an
>> additional http client sig that operates on UDP mostly for upnp
>> detection.
>
> You could just write your own signatures (remembering that we don't recommend modifying scripts in base/) and load it in local.bro. I'll give an example…
>
> In a file named localdpd.sig:
> signature my_dpd_http_client {
> ip-proto == tcp
> payload /^[[:space:]]*(PUT)[[:space:]]*/
> tcp-state originator
> }
> signature my_dpd_http_server {
> ip-proto == tcp
> payload /^HTTP\/[0-9]/
> tcp-state responder
> requires-reverse-signature my_dpd_http_client
> enable "http"
> }
>
> Then in local.bro:
> @loads-sigs ./localdpd.sig
>
> If you find that some of your signature additions are valuable, then we would certainly be willing to integrate them into Bro. I think this provides us a good way of trying things out first. :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
--
cat ~/.bash_history > documentation.txt
More information about the Bro
mailing list