[Bro] Using snort2bro
Lorenzo Cavallaro
sullivan at cs.ucsb.edu
Thu Jul 17 11:19:51 PDT 2008
Hi Paolo,
On Thu, Jul 17, 2008 at 01:06:06PM +0000, Paolo Tironi wrote:
> signature 549-8 {
> ip-proto == tcp
> src-ip == local_nets
> dst-ip != local_nets
> dst-port == 8888
> tcp-state established,originator
> event "P2P napster login"
> payload /.*\x00\x02\x00/
> }
>
> this is not equal to a classic bro policy.
> How can i use it to create my own policy?
You can write your own Bro policy script which defines a
signature_match event handler for signatures to catch specifically
this signature on your own (the signature_match event is triggered
for every signatures mathing but it receives a signature_state
parameter which contains the id of the signature being matched. In
you case it'd be 549-8).
Alternatively, just uncomment brolite-sigs (i.e., @load it) in your
host file generated when Bro was installed (it's usually in
site/<hostname>.bro). I suggest you to read brolite-sigs.bro as well
as you may also want to redefine signature_files to include your own
signature file.
Also, take a look at
http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures
bye,
Lorenzo
> 2008/7/17 Paolo Tironi <paolo.tironi85 at gmail.com>:
>
> > Hi, i can't use snort2bro.
> > I follow the wiky instruction (
> > http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro)
> > but it say: snort2bro command not found.
> > I know that it has to be already installed with bro, but if i give "locate
> > snort2bro", i can't find it.
> >
> > How can i use it?
> >
> > thanks
> > Paolo Tironi
> >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Lorenzo `Gigi Sullivan' Cavallaro <sullivan at cs.ucsb.edu>
GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
See the reality in your eyes, when the hate makes you blind. (A.H.X)
More information about the Bro
mailing list