[Bro] signatures: pros/cons, future plans for bro

Philippe Strauss philou at philou.ch
Thu May 15 05:13:15 PDT 2008

Hello Bro users,

I'm currently reviewing opensource IDS for usage at an ISP.
I really like bro clean and well thought design and implementation (C++
source code is really clean, especially when compared to snort C's which
looks messy, TCP stream reconstruction was there way before snort, it's
implemented in 5 times less kB of source code than snort etc...)

But the needs of an IDS at an ISP may be a bit different than at an
EDU/R&D site like Bro seems to have been designed for.

Having a signature matcher is a must at an ISP: having a set of
signature matching against the latest PHP whatever apps vulnerability in
front of a hosting room for example.

Bro does support it, but rather badly: there's a really good, custom
built stream based regexp matcher, but the set of signature is the one of snort,
using a pair or perl/python script to convert it.

Conversion, between two different semantic pattern matcher leads to
errors: in the snort2bro generated file, you'll see a lot of
# Not supported
line about string position or regexp syntax.

My question is: is there plan to have a better support of bro signature,
by improving snort2bro and/or modifiying the bro pattern matcher to be
closer than snort one?

Is there needs in the bro users community that match the ones I

Also, I've read somewhere of futures plan to have netflow support, what
is the plan (the idea is very good: coarse grained unsual flow detection
using netflow, the refined analysis thru bro)


Philippe Strauss
av. de Beaulieu 25
1004 Lausanne

More information about the Bro mailing list