[Zeek] Converting Rule suricata to zeek
Richard Bejtlich
richard at corelight.com
Thu Apr 23 06:29:26 PDT 2020
Hi Vincenzo,
I am not a developer, so I can't comment on the programming aspects.
However, from what little I know about the optimizations and use cases for
Zeek compared to Suricata, it makes sense to run each tool in the manner
for which it was designed.
In other words, depending on the number of signatures you want to port to
Zeek, and that they work as expected, it's possible you will cripple your
Zeek deployment. Can you tell us a little bit more about your expected use
case? It might be better to just run both tools in parallel.
Sincerely,
Richard
On Thu, Apr 23, 2020 at 8:38 AM Vincenzo <vincyforce at gmail.com> wrote:
> I am working on a suricata signature converter and converting them for
> Zeek, starting from this development https://github.com/adi928/brocata
> (which currently does not work), and I am doing various bug fixing and
> expanding it.
> But I have only one problem, it concerns the conversion of the rules
> containing the suricata pcre into expressions compatible with zeek ("flex").
> has anyone ever approached this development and could you give me some
> advice?
>
> Anyone knows other development for this scope?
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Richard Bejtlich
Principal Security Strategist, Corelight
https://corelight.blog/author/richardbejtlich/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200423/dc356563/attachment.html
More information about the Zeek
mailing list