[Bro] A question about loading signature files
zhiquan lai
laizhiquan at gmail.com
Mon Nov 14 17:03:58 PST 2011
I will go to Bro 2.0-beta and Barnyard2 project, and come back if any
question:)
Thanks
Quan
On Fri, Nov 11, 2011 at 10:37 PM, Seth Hall <seth at icir.org> wrote:
>
> On Nov 9, 2011, at 10:53 PM, zhiquan lai wrote:
>
> > But, recently, I'm trying to use Snort2bro to translate new Snort Rule
> set to Bro's signature. Unfortunately, I found that Snort2bro does not
> support some elements of snort like "pcre" which is critical in detecting.
> Is this why you didn't recommend using the Snort signature?
>
> Bro 2.0-beta doesn't have the snort2bro utility anymore due to it's
> lagging support for more modern Snort features. If you being relying on it
> with 1.5, understand that you may not be able to migrate that support to
> 2.0 and future releases.
>
> We actually have an alternate approach to the Snort rule language now.
> The Barnyard2 project has a Bro output plugin so that Bro can receive
> alerts from Snort and Suricata for further correlation and analysis. As
> you probably understand, it makes the most sense to run those rules in the
> tool they were originally written and tested for. If we continued
> attempting to support Snort rules, there is no saying that we would
> actually be interpreting them completely correctly.
>
> If you are interested in improving Bro's signature support we can
> certainly talk more.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111115/1d685196/attachment.html
More information about the Bro
mailing list