[Bro] Community source for rules

Adam Pumphrey apumphrey at bricata.com
Wed Oct 11 08:49:35 PDT 2017

I also suggest looking at Bro’s Intelligence Framework, https://www.bro.org/sphinx-git/frameworks/intel.html. This is how Bro consumes and makes use of threat intel indicators, which is essentially what the ET rule feeds contain.

There are many intel indicator sources available, some require more effort than others to integrate. As mentioned some tools exist that can help with that.  If you’re looking for an indicator source(s), Criticalstack offers a free feed aggregation service that directly integrates with Bro’s Intel Framework. It’s easy to use and a good tool for quickly getting external indicator sources in.  Worth a look if you’re exploring how threat intel, supplementary to ET rule feeds, can be used.


From: <bro-bounces at bro.org> on behalf of fatema bannatwala <fatema.bannatwala at gmail.com>
Date: Tuesday, October 10, 2017 at 3:16 PM
To: matthieu <matthieu at treussart.com>
Cc: bro <bro at bro.org>
Subject: Re: [Bro] Community source for rules

Then, I think you might want to look at the Bro scripting language,
although still you have to script what you are looking for.
Bro has started this awesome Bro-pkg manager project, which is similar to a central repository,
for hosting the various Bro scripts that community can get benefit from:

Here's the list of packages, available for the community to download and install:

Also, there are many individual Bro scripts available on github.
If interested, there's this script from Fox-IT regarding ransomeware detection using SMB:


On Tue, Oct 10, 2017 at 2:43 PM, matthieu <matthieu at treussart.com<mailto:matthieu at treussart.com>> wrote:
Thank you for your reply.

Yes I know snort2bro, but I use Snort or Suricata for this rules.
I was hoping there was a Bro rules contribution available on the Internet.
Generic rules that answer to the actuality like WannaCry (SMB) …


On 10 Oct 2017, at 14:36, fatema bannatwala <fatema.bannatwala at gmail.com<mailto:fatema.bannatwala at gmail.com>> wrote:

Hi Matthieu,

I am not aware of any source available for Bro signatures (rules, if that's what you meant),
however, there used to be a script snort2bro that converted snort signatures/rules to corresponding Bro sigs, but not maintained anymore.

Not sure what you are looking to solve, but if you know what you are searching for in your traffic,
then you might want to take a look at the Bro's Signature Language, to write your own signatures.
Here's the link: https://www.bro.org/sphinx/frameworks/signatures.html

Hope this helps.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171011/fbece60d/attachment-0001.html 

More information about the Bro mailing list