[Bro] Using snort2bro

Lorenzo Cavallaro sullivan at cs.ucsb.edu
Thu Jul 17 11:19:51 PDT 2008 

Hi Paolo,

On Thu, Jul 17, 2008 at 01:06:06PM +0000, Paolo Tironi wrote:
> signature 549-8 {
>   ip-proto == tcp
>   src-ip == local_nets
>   dst-ip != local_nets
>   dst-port == 8888
>   tcp-state established,originator
>   event "P2P napster login"
>   payload /.*\x00\x02\x00/
>   }
> 
> this is not equal to a classic bro policy.
> How can i use it to create my own policy?

   You can write your own Bro policy script which defines a
   signature_match event handler for signatures to catch specifically
   this signature on your own (the signature_match event is triggered
   for every signatures mathing but it receives a signature_state
   parameter which contains the id of the signature being matched. In
   you case it'd be 549-8).

   Alternatively, just uncomment brolite-sigs (i.e., @load it) in your
   host file generated when Bro was installed (it's usually in 
   site/<hostname>.bro). I suggest you to read brolite-sigs.bro as well
   as you may also want to redefine signature_files to include your own
   signature file.

   Also, take a look at
   http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures

bye,
Lorenzo

> 2008/7/17 Paolo Tironi <paolo.tironi85 at gmail.com>:
> 
> > Hi, i can't use snort2bro.
> > I follow the wiky instruction (
> > http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro)
> > but it say: snort2bro command not found.
> > I know that it has to be already installed with bro, but if i give "locate
> > snort2bro", i can't find it.
> >
> > How can i use it?
> >
> > thanks
> > Paolo Tironi
> >

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 
Lorenzo `Gigi Sullivan' Cavallaro <sullivan at cs.ucsb.edu>
GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc

Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)

See the reality in your eyes, when the hate makes you blind. (A.H.X)

More information about the Bro mailing list