Well, one reason would be to aid in detecting malware c2 traffic that can't be detected with simple signatures or regular math operations.

As a grossly simplified example, imagine you've reverse engineered a piece of c2 malware and have figured out what their handshake protocol looks like. This malware always puts a key somewhere in the packet and then uses that key to xor data in other parts of the packet. This method would be used as a simple traffic obfuscation technique to prevent traditional signature detection.

As it stands there's very little way (frankly, no way) for Bro to detect this sort of stuff (and that was my response when someone asked if we could implement something in Bro to detect some c2 traffic we're trying to track).

Assuming you have the full range of the bro language to leverage in the signature framework's eval function, this is pretty much a requirement for writing more advanced signatures and one of the reasons Snort introduced Shared Object Rules into their system (http://blog.snort.org/2011/02/snort-shared-object-rules.html).


On Sat, May 24, 2014 at 12:31 AM, Vern Paxson <vern@icir.org> wrote:
> Looks like it wouldn't be too difficult to add bitwise operators that work
> on integral types (int and count)

Sure.  But can you please sketch a compelling use case for which it's
important to add this functionality?  That's the general bar for deciding
what sort of features to add.

                Vern