[Bro] signatures: pros/cons, future plans for bro
Philippe Strauss
philou at philou.ch
Thu May 15 05:13:15 PDT 2008
Hello Bro users,
I'm currently reviewing opensource IDS for usage at an ISP.
I really like bro clean and well thought design and implementation (C++
source code is really clean, especially when compared to snort C's which
looks messy, TCP stream reconstruction was there way before snort, it's
implemented in 5 times less kB of source code than snort etc...)
But the needs of an IDS at an ISP may be a bit different than at an
EDU/R&D site like Bro seems to have been designed for.
Having a signature matcher is a must at an ISP: having a set of
signature matching against the latest PHP whatever apps vulnerability in
front of a hosting room for example.
Bro does support it, but rather badly: there's a really good, custom
built stream based regexp matcher, but the set of signature is the one of snort,
using a pair or perl/python script to convert it.
Conversion, between two different semantic pattern matcher leads to
errors: in the snort2bro generated file, you'll see a lot of
# Not supported
line about string position or regexp syntax.
My question is: is there plan to have a better support of bro signature,
by improving snort2bro and/or modifiying the bro pattern matcher to be
closer than snort one?
Is there needs in the bro users community that match the ones I
describe?
Also, I've read somewhere of futures plan to have netflow support, what
is the plan (the idea is very good: coarse grained unsual flow detection
using netflow, the refined analysis thru bro)
Regards.
--
Philippe Strauss
av. de Beaulieu 25
1004 Lausanne
http://philou.ch
More information about the Bro
mailing list