[Bro] Using snort2bro

Paolo Tironi paolo.tironi85 at gmail.com
Thu Jul 17 06:06:06 PDT 2008


i've just resolved the problem.
Now i understand how to use s2b and i've just convert a snort rule in a bro
policy. I redirected the stdout to a file .bro. The result is a file with
many row of code, but i can't use it as a bro policy (error: unknown
idetifier signature, at or near "signature").
The structure of the file is:

signature 549-8 {
  ip-proto == tcp
  src-ip == local_nets
  dst-ip != local_nets
  dst-port == 8888
  tcp-state established,originator
  event "P2P napster login"
  payload /.*\x00\x02\x00/
  }

this is not equal to a classic bro policy.
How can i use it to create my own policy?

Thaks

Paolo Tironi

2008/7/17 Paolo Tironi <paolo.tironi85 at gmail.com>:

> Hi, i can't use snort2bro.
> I follow the wiky instruction (
> http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro)
> but it say: snort2bro command not found.
> I know that it has to be already installed with bro, but if i give "locate
> snort2bro", i can't find it.
>
> How can i use it?
>
> thanks
> Paolo Tironi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080717/6e1651fe/attachment.html 


More information about the Bro mailing list