[Bro] bro comparison to snort operation

John Babio jbabio at po-box.esu.edu
Wed Jun 26 10:50:08 PDT 2013

Thank you Seth and Samuel. I appreciate the help. :)

On 6/26/13 1:42 PM, "Seth Hall" <seth at icir.org> wrote:

>On Jun 26, 2013, at 1:21 PM, John Babio <jbabio at po-box.esu.edu> wrote:
>> I need some clarification. I am trying to understand  the operations of
>>Bro and it relates to how snort operates. I am having a little trouble
>>with a few things.
>Don't try to draw those comparisons.  They're only going to lead to
>confusion for you. :)
>> 1.Where are default rules/signatures/scripts stored in the folder
>> 2. What log file are we supposed to pay attention to? Communication,
>>Notices, Weird or all of them?
>Any and all logs could be important depending on what you're
>investigating.  Certain logs like communication.log, notice_policy.log,
>and loaded_scripts.log are Bro doing some internal accounting so that if
>you have questions about how it's behaving you may be to figure that out.
>In "normal" operation the weird log tends to be of less value too (please
>correct me if someone uses that a lot!).  Typically the most important
>logs are the ones that provide some sort of network activity logging
>(i.e. http.log, smtp.log, conn.log, dns.log, software.log, etc)
>> 3. Where do we place custom bro scripts we write?
>I typically recommend that people place scripts into
><prefix>/share/bro/site/ and use the local.bro script in that directory
>to load their scripts.
>> 4. Is there a skeleton of a basic script somewhere so I know where to
>I would take a look at the scripts in <prefix>/share/bro/policy/ (there
>are quite a few) to get a general feel of the land.  That directory and
>all of it's subdirectories are where most of the scripts are that detect
>various things.
>> 5. Where in Bro to I specify sending the data to an external ELSA
>That is something you'll have to do outside of Bro.  We don't have any
>direct integration at this point in time.  The SecurityOnion project
>should be able to provide some guidance there since they ship with Bro
>logs integrated in ELSA
>  .Seth
>Seth Hall
>International Computer Science Institute
>(Bro) because everyone has a network

More information about the Bro mailing list