Hi, On Sat, 2010-08-14 at 10:02 -0500, Martin Holste wrote:
If you're looking to do never-wrong, full normalization, then yes, you're looking at thousands of signatures. However, if you're looking to extract some common fields, it's actually not that much work to grab things like IP addresses using regexp. Since regexp is slow, I'm thinking about writing some generic patterns that would match on IP's using the fast pattern matcher. I don't know if it'll work, but it would look like "@ANYSTRING@@IPv4@@ANYSTRING@" and then maybe another one to grep out two IP's, then another for three, etc. I have no idea if that will work; we'll see how it goes.
No, this one will not work, patterndb doesn't have backtrack, so if you want to look for IP addresses this way, you'd need to write a custom parser plugin. It'd be way faster than using regexps, although possibly slower than patterndb, especially if you'd be looking for many different data types. -- Bazsi