Can Bro be configured to look for Unicode code points in network traffic then execute event-oriented analyzers that compare the activity with patterns known bad traffic? I saw a reference language called BINPac that may be able to do this. Thoughts?
Can Bro be configured to look for Unicode code points in network traffic
then execute event-oriented analyzers that compare the activity with
patterns known bad traffic?
One could write a signature to detect Unicode. The signature match
would raise an event which can then be further analyzed for whatever
indicators the known patterns rely on.
Not sure if this is what you looking for. Perhaps you could give us
a bit more context?
I saw a reference language called BINPac that may be able to do
this. Thoughts?
Binpac is high-level language to write parsers for application-layer
protocols. A Binpac parser wouldn't look for unicode itself; it
could however further analyze a specific application which uses
Unicode. See http://www.icir.org/robin/papers/imc06.pdf for more
information.
Robin