[Bro] signatures: pros/cons, future plans for bro
Robin Sommer
robin at icir.org
Thu May 15 11:11:27 PDT 2008
Hi Philippe,
great yo hear you guys are considering Bro.
On Thu, May 15, 2008 at 14:13 +0200, Philippe Strauss wrote:
> Conversion, between two different semantic pattern matcher leads to
> errors: in the snort2bro generated file, you'll see a lot of
> # Not supported
> line about string position or regexp syntax.
You're absolutely right. I don't recommend using snort2bro anymore,
it's outdated and doesn't support many of Snort's new options.
> My question is: is there plan to have a better support of bro signature,
> by improving snort2bro and/or modifiying the bro pattern matcher to be
> closer than snort one?
No, not on our side, we don't maintain it anymore. For our setups,
we have decided that converting Snort rules is not really worth the
trouble; we don't get enough benefit out of them. (YMMV.)
> Is there needs in the bro users community that match the ones I
> describe?
A few folks have expressed interest in the past in bringing
snort2bro back to live. If somebody were to take over snort2bro
development, I'm sure the Bro community would appreciate that.
(I actually once started to build a better
snort-regexp-to-bro-regexp converter but I'm afraid I lost the code;
can't find it anymore :-( )
> Also, I've read somewhere of futures plan to have netflow support, what
> is the plan (the idea is very good: coarse grained unsual flow detection
> using netflow, the refined analysis thru bro)
There's experimental NetFlow support, written by Bernhard Ager, in
my working branch. I plan to write a few words about how to use it
on the ICSI blog sometime soon.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list