[Bro] Using snort2bro
Paolo Tironi
paolo.tironi85 at gmail.com
Thu Jul 17 06:06:06 PDT 2008
i've just resolved the problem.
Now i understand how to use s2b and i've just convert a snort rule in a bro
policy. I redirected the stdout to a file .bro. The result is a file with
many row of code, but i can't use it as a bro policy (error: unknown
idetifier signature, at or near "signature").
The structure of the file is:
signature 549-8 {
ip-proto == tcp
src-ip == local_nets
dst-ip != local_nets
dst-port == 8888
tcp-state established,originator
event "P2P napster login"
payload /.*\x00\x02\x00/
}
this is not equal to a classic bro policy.
How can i use it to create my own policy?
Thaks
Paolo Tironi
2008/7/17 Paolo Tironi <paolo.tironi85 at gmail.com>:
> Hi, i can't use snort2bro.
> I follow the wiky instruction (
> http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro)
> but it say: snort2bro command not found.
> I know that it has to be already installed with bro, but if i give "locate
> snort2bro", i can't find it.
>
> How can i use it?
>
> thanks
> Paolo Tironi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080717/6e1651fe/attachment.html
More information about the Bro
mailing list