[Bro] bro comparison to snort operation

Oehlert, Samuel J soehlert at illinois.edu
Wed Jun 26 10:40:59 PDT 2013


1. The default policies are underneath $BROHOME/share/bro/, but keep in mind you should never edit these policy files.
2. That's tough to answer because that's really up to you. You can look at whatever log you find most helpful, depends on the situation. Maybe if you could clarify what you are hoping to find, we can help point you to the correct log.
3. Site specific policies go in the $BROHOME/share/bro/site as this directory does not get overwritten on updates, meaning your policies will persist.
4. Personally, I found it best to look at the default policies (which you can find here: http://www.bro.org/sphinx/scripts/index.html), as well as here: https://github.com/languages/Bro
5. That I'm not sure of sorry.

Sam Oehlert  <soehlert at illinois.edu<mailto:soehlert at illinois.edu>>
(217) 300-1076
Security Engineer
National Center for Supercomputing Applications

On Jun 26, 2013, at 12:21 PM, John Babio <jbabio at po-box.esu.edu<mailto:jbabio at po-box.esu.edu>> wrote:

Hello Group,
I need some clarification. I am trying to understand  the operations of Bro and it relates to how snort operates. I am having a little trouble with a few things.

1.Where are default rules/signatures/scripts stored in the folder structure?
2. What log file are we supposed to pay attention to? Communication, Notices, Weird or all of them?
3. Where do we place custom bro scripts we write?
4. Is there a skeleton of a basic script somewhere so I know where to start?
5. Where in Bro to I specify sending the data to an external ELSA server?

Thanks for your help!

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130626/f26a5b31/attachment.html 

More information about the Bro mailing list