[Bro] Adding new signatures

Vern Paxson vern at icir.org
Tue Jun 27 11:53:39 PDT 2006

> Though my final intention is to make the BRO-IDS support bittorrent
> protocol .

If that's your goal, then you should start quite differently.  For Bro,
signatures are a handy add-on, but not the heart of its analysis.  Instead,
you should develop a protocol analyzer for Bro's event engine.  Often a
good way to develop one of these is to start with an existing one for a
similar protocol and progressively modify it.


