[Bro] Bro Signature Framework Examples

Liam Randall liam.randall at gigaco.com
Wed Feb 4 05:52:38 PST 2015


If you look under policy/frameworks/signatures/detect-windows-shells.sig:

You'll find an example signature that ships with Bro.  Additionally, each
protocol analyzer is enabled by a signature used in the dynamic protocol
detection (dpd) process; for example please see http's signature:

There are a lot of novel uses of signatures in Bro; in Jon bitcoin mining
protocol detection he uses a signature to enable an analysis process:

Many of the "signatures" you would use to find basic indicators of
compromise (domains, ip addresses, file hashes, etc) are handled by the
intelligence framework:


Liam Randall

On Wed, Feb 4, 2015 at 7:09 AM, <just2 at arcor.de> wrote:

> Hello everyone,
> for testing purposes, I want to run Bro with signatures (similar to Snort).
> On https://www.bro.org/sphinx/frameworks/signatures.html it is described
> how to configure bro to use a signature file.
> However, I did not find a sample signature file. Also, it is stated that
> Snort signatures can no longer be transfered to Bro.
> Is there another way to (easily) import a bulk of the most common
> signatures? Is there any example file?
> Thanks,
> Myra
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150204/c82f7d54/attachment.html 

More information about the Bro mailing list