regular expressions in bro signatures (payload)

Zeek
1

Hello All:

I have been trying to port some bleeding-edge snort signatures to bro to detect bots on the network. I used s2b or snort2bro.pl script to convert these snort signatures to bro format but the script ignores pcre (perl competible regualar expression) directive and comments its out (refer the signature below)

signature sid-2001787 {
  ip-proto == tcp
  src-ip != local_nets
  dst-ip == local_nets
  # Not supported: pcre: /(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|!scan [0-9]{1,3}\.[0-9]{1,3}|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup))/i
  event "BLEEDING-EDGE TROJAN IRC Bot scan/exploit command"
  tcp-state established
  }

How I can (or cannot) use regular expressions in payload directive in bro signatures ? Can you guys point me to a writeup or man page for this ?

I see other (converted) signatures do have payload directive which uses regualar expressions but those are fairly straight forward RE searches. Is it possible to create constructs using "or" ( "|"), "{}", "[]", () etc in payload section of signatures ? In other words, how can I port the pcre payload check (above signature) as regualar expression for payload to bro ?

Also, are RE in signatures case sensitive too ?

Thanks a lot for the help.

Aashish Sharma

2

How I can (or cannot) use regular expressions in payload directive
in bro signatures ?

The payload directive supports all of Bro's usual regular expression
operators. IIRC, there's a section on patterns in Bro's manual (Bro
uses the same syntax for regexps than flex).

You're right, snort2bro does not support pcre yet. There's an
experimental version which does but that isn't finished yet.

(Btw, Bro's signatures supported regular expressions even before
Snort got pcre. :slight_smile:

Also, are RE in signatures case sensitive too ?

Yes, they are.

Robin