[Bro] create team for update snort2bro script signature ?
rmkml
rmkml at free.fr
Thu Nov 6 22:31:11 PST 2008
two function like exist on bro policy but not avalaible for signatures ?:
-snort threshold()
=> it appears (*count*) on policy/signatures.bro but not on src/rule-scan.l ?
-snort flowbits:noalert
=> it appears (SigAction: SIG_QUIET) on policy/signatures.bro but not on src/rule-scan.l ?
Regards
Rmkml
Crusoe-Researches.com
On Fri, 7 Nov 2008, rmkml wrote:
> Date: Fri, 7 Nov 2008 06:56:05 +0100 (CET)
> From: rmkml <rmkml at free.fr>
> To: Robin Sommer <robin at icir.org>
> Cc: bro at ICSI.Berkeley.EDU
> Subject: Re: [Bro] create team for update snort2bro script signature ?
>
> Hi Robin,
> thx for reply,
> bro-1.4/scripts/s2b/bin/s2b.pl ?
> do you known if it is possible adding this features ?
> Regards
> Rmkml
> Crusoe-Researches.com
>
> On Thu, 6 Nov 2008, Robin Sommer wrote:
>
>> Date: Thu, 6 Nov 2008 22:49:23 -0800
>> From: Robin Sommer <robin at icir.org>
>> To: bro at ICSI.Berkeley.EDU, rmkml <rmkml at free.fr>
>> Subject: Re: [Bro] create team for update snort2bro script signature ?
>>
>>
>> On Thu, Nov 06, 2008 at 16:57 +0100, you wrote:
>>
>>> First question: bro contains two script, one in perl and one in python,
>>
>> Which Perl script are you refering to?
>>
>>> 1)byte_test() is not supported, but it is possible bro contains similar
>>> function ?
>>> 2)byte_jump() is not supported, but it is possible bro contains similar
>>> function ?
>>
>> No, sorry, there is no such functionality yet.
>>
>> Robin
>>
>> --
>> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
>> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>>
>
More information about the Bro
mailing list