[Bro] A question about loading signature files
zhiquan lai
laizhiquan at gmail.com
Wed Nov 9 19:53:06 PST 2011
Hi, Dear Robin,
Actually, I didn't understand why you didn't recommend using the Snort
signature, which is am important module of Bro just as mentioned in the
manual.
But, recently, I'm trying to use Snort2bro to translate new Snort Rule set
to Bro's signature. Unfortunately, I found that Snort2bro does not support
some elements of snort like "pcre" which is critical in detecting. Is this
why you didn't recommend using the Snort signature?
You said that the Snort signature is not generally really useful with Bro.
What did you mean with that?
What about improving Snort2bro to support "pcre" and other elements in
Snort. Does this work count?
Thanks,
Quan
>They are not only very old, but also generally not really
> useful with Bro.
On Thu, Oct 20, 2011 at 9:56 AM, Robin Sommer <robin at icir.org> wrote:
>
> On Thu, Oct 20, 2011 at 00:02 +0800, you wrote:
>
> > However, when Bro loaded test.bro, many errors like
> > "smtp_servers(http_servers ...) didn't defined".
>
> These are defined in snort.bro, you can just load that.
>
> However, frankly, I don't recommend using the Snort signature at all
> anymore. They are not only very old, but also generally not really
> useful with Bro.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/82620abd/attachment.html
More information about the Bro
mailing list