Event signatures

Vern Paxson vern at ee.lbl.gov
Wed Oct 6 01:46:41 PDT 1999


> I wonder if there is a repository of attack signatures (e.g., for various
> NetBIOS/SMB-based attacks) that can be added to Bro.
> If not, maybe we should start one?

Bro isn't quite attack-signature based but rather event-pattern based,
but modulo that nit, the only such repository right now is embodied
in the sample policy scripts distributed with the alpha release.  It
would be terrific if the community starts working on sets of Bro attack
patterns - that's long been my hope, though I've realized it won't
really start until there's a user manual (which I'm working on but is
very slow in coming).

		Vern



More information about the Bro mailing list