<div dir="ltr">i've just resolved the problem.<br>Now i understand how to use s2b and i've just convert a snort rule in a bro policy. I redirected the stdout to a file .bro. The result is a file with many row of code, but i can't use it as a bro policy (error: unknown idetifier signature, at or near "signature"). <br>
The structure of the file is:<br><br>signature 549-8 {<br> ip-proto == tcp<br> src-ip == local_nets<br> dst-ip != local_nets<br> dst-port == 8888<br> tcp-state established,originator<br> event "P2P napster login"<br>
payload /.*\x00\x02\x00/<br> }<br><br>this is not equal to a classic bro policy.<br>How can i use it to create my own policy?<br><br>Thaks<br><br>Paolo Tironi<br><br><div class="gmail_quote">2008/7/17 Paolo Tironi <<a href="mailto:paolo.tironi85@gmail.com">paolo.tironi85@gmail.com</a>>:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr">Hi, i can't use snort2bro.<br>I follow the wiky instruction (<a href="http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro" target="_blank">http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro</a>) but it say: snort2bro command not found.<br>
I know that it has to be already installed with bro, but if i give "locate snort2bro", i can't find it.<br><br>How can i use it?<br><br>thanks <br>Paolo Tironi<br></div>
</blockquote></div><br></div>