[Bro] About signatures
robin at icir.org
Mon Oct 5 09:54:34 PDT 2015
You might want to read this paper for more context about Bro's
signature framework: http://www.icir.org/robin/papers/ccs03.ps.
The comment you cite below is not saying signatures that aren't useful
at all in Bro; it's just saying that blindly converting Snort
signatures to Bro signatures hasn't proven to be a very useful thing
to do in practice.
On Mon, Oct 05, 2015 at 18:34 +0200, Vito Logrillo wrote:
> Hi All,
> i'm studying your signature framework
> and i've found this explanation
> " However, in our experience this didn’t turn out to be a very useful
> thing to do because by simply using Snort signatures, one can’t
> benefit from the additional capabilities that Bro provides; the
> approaches of the two systems are just too different"
> I understand that Bro and Snort have different approaches, but if i
> need a detailed research on a specific string (for example) should i
> write a script?And for several strings?
> Which is the best approach to avoid signatures?
> Bro mailing list
> bro at bro-ids.org
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro