[Bro] Bro Signature Framework Examples
Liam Randall
liam.randall at gigaco.com
Wed Feb 4 05:52:38 PST 2015
Myra,
If you look under policy/frameworks/signatures/detect-windows-shells.sig:
https://github.com/bro/bro/blob/master/scripts/policy/frameworks/signatures/detect-windows-shells.sig
You'll find an example signature that ships with Bro. Additionally, each
protocol analyzer is enabled by a signature used in the dynamic protocol
detection (dpd) process; for example please see http's signature:
https://github.com/bro/bro/blob/master/scripts/base/protocols/http/dpd.sig
There are a lot of novel uses of signatures in Bro; in Jon bitcoin mining
protocol detection he uses a signature to enable an analysis process:
https://github.com/jsiwek/bro_bitcoin
Many of the "signatures" you would use to find basic indicators of
compromise (domains, ip addresses, file hashes, etc) are handled by the
intelligence framework:
https://www.bro.org/sphinx/frameworks/intel.html
V/r,
Liam Randall
On Wed, Feb 4, 2015 at 7:09 AM, <just2 at arcor.de> wrote:
> Hello everyone,
> for testing purposes, I want to run Bro with signatures (similar to Snort).
> On https://www.bro.org/sphinx/frameworks/signatures.html it is described
> how to configure bro to use a signature file.
> However, I did not find a sample signature file. Also, it is stated that
> Snort signatures can no longer be transfered to Bro.
> Is there another way to (easily) import a bulk of the most common
> signatures? Is there any example file?
> Thanks,
> Myra
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150204/c82f7d54/attachment.html
More information about the Bro
mailing list