[Zeek] Converting Rule suricata to zeek

Vincenzo vincyforce at gmail.com
Thu Apr 23 06:49:18 PDT 2020


Hi download a tar from this emerging threaths
https://rules.emergingthreats.net/open/suricata-5.0/  and Zeek has loaded
all signature (29670) excluding pcre option from suricata rule, but i
included (content,ip,port,flow,nocase of content etc), and Zeek rose
correctly.
Yes, I know they are tools that are made to work in parallel, but these are
the design requirements.

Il giorno gio 23 apr 2020 alle ore 15:29 Richard Bejtlich <
richard at corelight.com> ha scritto:

> Hi Vincenzo,
>
> I am not a developer, so I can't comment on the programming aspects.
> However, from what little I know about the optimizations and use cases for
> Zeek compared to Suricata, it makes sense to run each tool in the manner
> for which it was designed.
>
> In other words, depending on the number of signatures you want to port to
> Zeek, and that they work as expected, it's possible you will cripple your
> Zeek deployment. Can you tell us a little bit more about your expected use
> case? It might be better to just run both tools in parallel.
>
> Sincerely,
>
> Richard
>
> On Thu, Apr 23, 2020 at 8:38 AM Vincenzo <vincyforce at gmail.com> wrote:
>
>> I am working on a suricata signature converter and converting them for
>> Zeek, starting from this development https://github.com/adi928/brocata
>> (which currently does not work), and I am doing various bug fixing and
>> expanding it.
>> But I have only one problem, it concerns the conversion of the rules
>> containing the suricata pcre into expressions compatible with zeek ("flex").
>>   has anyone ever approached this development and could you give me some
>> advice?
>>
>> Anyone knows other development for this scope?
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
> https://corelight.blog/author/richardbejtlich/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200423/1330488f/attachment.html 


More information about the Zeek mailing list