[Bro] About signatures

anthony kasza anthony.kasza at gmail.com
Mon Oct 5 12:38:21 PDT 2015


Bro's use of signatures is focussed more on protocol identification than on
alerting an operator to malicious/benign packets.

-AK
On Oct 5, 2015 12:13 PM, "Vito Logrillo" <vitologrillo at gmail.com> wrote:

> Thanks Robin for your reply.
> I've read your paper and i think i've understood why a blindy
> convertion is not so useful: one reason is the possible generation of
> many false positives(correct me if i'm wrong).
> Can you suggest me a repository or a link where i can find signatures
> specifically written for Bro?
> Thanks
> Vito
>
>
>
> 2015-10-05 18:54 GMT+02:00 Robin Sommer <robin at icir.org>:
> > You might want to read this paper for more context about Bro's
> > signature framework: http://www.icir.org/robin/papers/ccs03.ps.
> >
> > The comment you cite below is not saying signatures that aren't useful
> > at all in Bro; it's just saying that blindly converting Snort
> > signatures to Bro signatures hasn't proven to be a very useful thing
> > to do in practice.
> >
> > Robin
> >
> > On Mon, Oct 05, 2015 at 18:34 +0200, Vito Logrillo wrote:
> >
> >> Hi All,
> >> i'm studying your signature framework
> >> https://www.bro.org/sphinx/frameworks/signatures.html
> >> and i've found this explanation
> >>
> >> " However, in our experience this didn’t turn out to be a very useful
> >> thing to do because by simply using Snort signatures, one can’t
> >> benefit from the additional capabilities that Bro provides; the
> >> approaches of the two systems are just too different"
> >>
> >> I understand that Bro and Snort have different approaches, but if i
> >> need a detailed research on a specific string (for example) should i
> >> write a script?And for several strings?
> >> Which is the best approach to avoid signatures?
> >> Thanks
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >
> >
> >
> > --
> > Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151005/e9527f86/attachment.html 


More information about the Bro mailing list