[Bro] About signatures

Robin Sommer robin at icir.org
Mon Oct 5 09:54:34 PDT 2015

You might want to read this paper for more context about Bro's
signature framework: http://www.icir.org/robin/papers/ccs03.ps.

The comment you cite below is not saying signatures that aren't useful
at all in Bro; it's just saying that blindly converting Snort
signatures to Bro signatures hasn't proven to be a very useful thing
to do in practice.


On Mon, Oct 05, 2015 at 18:34 +0200, Vito Logrillo wrote:

> Hi All,
> i'm studying your signature framework
> https://www.bro.org/sphinx/frameworks/signatures.html
> and i've found this explanation
> " However, in our experience this didn’t turn out to be a very useful
> thing to do because by simply using Snort signatures, one can’t
> benefit from the additional capabilities that Bro provides; the
> approaches of the two systems are just too different"
> I understand that Bro and Snort have different approaches, but if i
> need a detailed research on a specific string (for example) should i
> write a script?And for several strings?
> Which is the best approach to avoid signatures?
> Thanks
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the Bro mailing list