[Bro] About signatures

Vito Logrillo vitologrillo at gmail.com
Mon Oct 5 09:34:21 PDT 2015


Hi All,
i'm studying your signature framework
https://www.bro.org/sphinx/frameworks/signatures.html
and i've found this explanation

" However, in our experience this didn’t turn out to be a very useful
thing to do because by simply using Snort signatures, one can’t
benefit from the additional capabilities that Bro provides; the
approaches of the two systems are just too different"

I understand that Bro and Snort have different approaches, but if i
need a detailed research on a specific string (for example) should i
write a script?And for several strings?
Which is the best approach to avoid signatures?
Thanks



More information about the Bro mailing list