RE : bro signature http-request double encoded cause FN ?

Hi rmkml,

First off, let me just thank you for all the work you've been doing recently. I think a lot of people are interested in integrating additional intelligence sources (like Emerging Threats) into Bro.

However, I'm concerned that a lot of your work seems to be based on just passing content through a bunch of regular expressions. A few others have also expressed concern with this approach. As a result, I think most people here are wary to try your scripts on their clusters. Even a 10% slowdown translates to one or two extra 16-core machines that would need to be added to the cluster in some places. Apart from that, at least to me, this approach goes against a lot of the Bro philosophy. If people just wanted basic signature-matching, they'd use one of the many much more simplistic tools out there. With Bro, this is really viewed as intelligence instead of an amalgamation of signatures.

Personally, I think you'd get much more interest if you could just create a text-file with known bad user-agents from the Emerging Threats sigs. I think that's a good place to start, and once that's in place, we can help you figure out the best way to extend that to domain names, URIs, filenames, etc.

Just my 2 cents on why all the time you've been investing into this isn't getting the interest and response one would expect.