[Bro] A question about loading signature files
seth at icir.org
Fri Nov 11 06:37:03 PST 2011
On Nov 9, 2011, at 10:53 PM, zhiquan lai wrote:
> But, recently, I'm trying to use Snort2bro to translate new Snort Rule set to Bro's signature. Unfortunately, I found that Snort2bro does not support some elements of snort like "pcre" which is critical in detecting. Is this why you didn't recommend using the Snort signature?
Bro 2.0-beta doesn't have the snort2bro utility anymore due to it's lagging support for more modern Snort features. If you being relying on it with 1.5, understand that you may not be able to migrate that support to 2.0 and future releases.
We actually have an alternate approach to the Snort rule language now. The Barnyard2 project has a Bro output plugin so that Bro can receive alerts from Snort and Suricata for further correlation and analysis. As you probably understand, it makes the most sense to run those rules in the tool they were originally written and tested for. If we continued attempting to support Snort rules, there is no saying that we would actually be interpreting them completely correctly.
If you are interested in improving Bro's signature support we can certainly talk more.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro