[Bro] About signatures
Vito Logrillo
vitologrillo at gmail.com
Mon Oct 5 12:11:40 PDT 2015
Thanks Robin for your reply.
I've read your paper and i think i've understood why a blindy
convertion is not so useful: one reason is the possible generation of
many false positives(correct me if i'm wrong).
Can you suggest me a repository or a link where i can find signatures
specifically written for Bro?
Thanks
Vito
2015-10-05 18:54 GMT+02:00 Robin Sommer <robin at icir.org>:
> You might want to read this paper for more context about Bro's
> signature framework: http://www.icir.org/robin/papers/ccs03.ps.
>
> The comment you cite below is not saying signatures that aren't useful
> at all in Bro; it's just saying that blindly converting Snort
> signatures to Bro signatures hasn't proven to be a very useful thing
> to do in practice.
>
> Robin
>
> On Mon, Oct 05, 2015 at 18:34 +0200, Vito Logrillo wrote:
>
>> Hi All,
>> i'm studying your signature framework
>> https://www.bro.org/sphinx/frameworks/signatures.html
>> and i've found this explanation
>>
>> " However, in our experience this didn’t turn out to be a very useful
>> thing to do because by simply using Snort signatures, one can’t
>> benefit from the additional capabilities that Bro provides; the
>> approaches of the two systems are just too different"
>>
>> I understand that Bro and Snort have different approaches, but if i
>> need a detailed research on a specific string (for example) should i
>> write a script?And for several strings?
>> Which is the best approach to avoid signatures?
>> Thanks
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list