[Bro] Community source for rules

Thu Oct 12 04:27:32 PDT 2017

It has been discussed several times about "signatures", and what it seems
folks would love to do is take Snort/Suricata rules and throw them into Bro.

I think the Intel framework would work be a good place to get quick wins
with the conversion, but I have never used the signature features in Bro,
as a the first rule of fight club is to never use it.

I think there may be different avenues to achieve similar functionality to
signature based IDS engines, just requires time to figure it out.

--
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com

On Oct 11, 2017 14:58, "Adam Pumphrey" <apumphrey at bricata.com> wrote:

> I also suggest looking at Bro’s Intelligence Framework,
> https://www.bro.org/sphinx-git/frameworks/intel.html. This is how Bro
> consumes and makes use of threat intel indicators, which is essentially
> what the ET rule feeds contain.
>
>
>
> There are many intel indicator sources available, some require more effort
> than others to integrate. As mentioned some tools exist that can help with
> that.  If you’re looking for an indicator source(s), Criticalstack offers a
> free feed aggregation service that directly integrates with Bro’s Intel
> Framework. It’s easy to use and a good tool for quickly getting external
> indicator sources in.  Worth a look if you’re exploring how threat intel,
> supplementary to ET rule feeds, can be used.
>
>
>
> Adam
>
>
>
> *From: *<bro-bounces at bro.org> on behalf of fatema bannatwala <
> fatema.bannatwala at gmail.com>
> *Date: *Tuesday, October 10, 2017 at 3:16 PM
> *To: *matthieu <matthieu at treussart.com>
> *Cc: *bro <bro at bro.org>
> *Subject: *Re: [Bro] Community source for rules
>
>
>
> Then, I think you might want to look at the Bro scripting language,
>
> although still you have to script what you are looking for.
>
> Bro has started this awesome Bro-pkg manager project, which is similar to
> a central repository,
>
> for hosting the various Bro scripts that community can get benefit from:
>
>
>
> Here's the list of packages, available for the community to download and
> install:
>
> https://github.com/bro/packages
>
>
>
> Also, there are many individual Bro scripts available on github.
>
> If interested, there's this script from Fox-IT regarding ransomeware
> detection using SMB:
>
> https://github.com/fox-it/bro-scripts/tree/master/smb-ransomware
>
>
>
> -Fatema.
>
>
>
>
>
> On Tue, Oct 10, 2017 at 2:43 PM, matthieu <matthieu at treussart.com> wrote:
>
> Hi
>
> Thank you for your reply.
>
>
>
> Yes I know snort2bro, but I use Snort or Suricata for this rules.
>
> I was hoping there was a Bro rules contribution available on the Internet.
>
> Generic rules that answer to the actuality like WannaCry (SMB) …
>
>
>
> Matthieu
>
>
>
>
>
>
>
> On 10 Oct 2017, at 14:36, fatema bannatwala <fatema.bannatwala at gmail.com>
> wrote:
>
>
>
> Hi Matthieu,
>
>
>
> I am not aware of any source available for Bro signatures (rules, if
> that's what you meant),
>
> however, there used to be a script snort2bro that converted snort
> signatures/rules to corresponding Bro sigs, but not maintained anymore.
>
>
>
> Not sure what you are looking to solve, but if you know what you are
> searching for in your traffic,
>
> then you might want to take a look at the Bro's Signature Language, to
> write your own signatures.
>
> Here's the link: https://www.bro.org/sphinx/frameworks/signatures.html
>
>
>
> Hope this helps.
>
>
>
> -Fatema
>
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171012/af2e911b/attachment-0001.html 