[Bro] Bro Signatures

Bibin Koshy koshybibin3 at gmail.com
Fri Feb 16 09:52:20 PST 2018 

Hi,

I tried running bro using the signature file i created. It outputs
conn.log, notice.log, weird.log and other files. I just didnt get the
signature.log file which is what i am looking for. I am sure i have a fair
amount of signatures defined at least to find one alert/alarm on the pcap
file i am using. Is there anything that can be done. Like should there be
any scripts i need to @load to my local.bro file to output the
signature.log file?

Thank you

On 15 February 2018 at 15:11, Zeolla at GMail.com <zeolla at gmail.com> wrote:

> You may also want to check out what bro ships with here -
> https://github.com/bro/bro/tree/master/scripts
>
> And what is available as bro packages (a new-ish platform for sharing bro
> 'things') - https://github.com/bro/packages
>
> Jon
>
> On Thu, Feb 15, 2018 at 10:08 AM Zeolla at GMail.com <zeolla at gmail.com>
> wrote:
>
>> Bro doesn't really work that way, so it would be hard to make that
>> comparison.  https://www.bro.org/sphinx/frameworks/
>> signatures.html#so-how-about-using-snort-signatures-with-bro
>>
>> Bro does have the concept of signatures, it's just used in a way that is
>> very different than Snort would.  It may make sense to read more of
>> https://www.bro.org/sphinx/frameworks/signatures.html
>>
>> There is also this - https://github.com/corelight/bro-protosigs - for
>> using signatures in bro to do simple detection of some protocols, but it
>> definitely isn't meant to work in the way Snort signatures would.
>>
>> Jon
>>
>> On Thu, Feb 15, 2018 at 8:36 AM Bibin Koshy <koshybibin3 at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am trying to compare Snort and Bro IDS on the basis of
>>> signatures/rules.Is there any repository for Bro rules/signatures? I
>>> haven't got any signatures examples online. It would be a great help if you
>>> could suggest some signatures to find basic attacks.
>>>
>>> Thank you
>>> Bibin Koshy
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> --
>>
>> Jon
>>
> --
>
> Jon
>



-- 
*Bibin*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180216/4e2376de/attachment.html

More information about the Bro mailing list