[Bro] using YARA signatures within Bro
Christian Kreibich
christian at corelight.com
Wed Feb 7 14:54:15 PST 2018
Hey Am,
On 02/05/2018 02:03 PM, Ambros Novak wrote:
> Hello,
>
> I'm currently using YARA rules (yararules.yar) to inspect files from bro
> (extract-all-files.bro).
>
> Besides using bro to inspect files with YARA, how can I get bro to use YARA
> rules to inspect traffic and also certificates?
Bro doesn't currently integrate YARA, but there's at least this plugin
that pulls YARA file analysis more directly into Bro:
https://github.com/hempnall/broyara
We're considering expanding Bro's YARA support for file analysis and
potentially beyond, though much of that will need work on the YARA side
to make it operate in a more streaming-oriented fashion.
We'd definitely like to hear of Bro use cases for YARA that you guys can
think of.
Best,
-C.
More information about the Bro
mailing list