I wrote a simple Bro policy file test.bro to load signatures in snort-default.sig file by redef “signature_files”.
However, when Bro loaded test.bro, many errors like “smtp_servers(http_servers …) didn’t defined”.
Should I define these variables in my test.bro file?
Or is there any common configure file to defined them?
These are defined in snort.bro, you can just load that.
However, frankly, I don't recommend using the Snort signature at all
anymore. They are not only very old, but also generally not really
useful with Bro.
Actually, I didn’t understand why you didn’t recommend using the Snort signature, which is am important module of Bro just as mentioned in the manual.
But, recently, I’m trying to use Snort2bro to translate new Snort Rule set to Bro’s signature. Unfortunately, I found that Snort2bro does not support some elements of snort like “pcre” which is critical in detecting. Is this why you didn’t recommend using the Snort signature?
You said that the Snort signature is not generally really useful with Bro. What did you mean with that?
What about improving Snort2bro to support “pcre” and other elements in Snort. Does this work count?
Bro 2.0-beta doesn't have the snort2bro utility anymore due to it's lagging support for more modern Snort features. If you being relying on it with 1.5, understand that you may not be able to migrate that support to 2.0 and future releases.
We actually have an alternate approach to the Snort rule language now. The Barnyard2 project has a Bro output plugin so that Bro can receive alerts from Snort and Suricata for further correlation and analysis. As you probably understand, it makes the most sense to run those rules in the tool they were originally written and tested for. If we continued attempting to support Snort rules, there is no saying that we would actually be interpreting them completely correctly.
If you are interested in improving Bro's signature support we can certainly talk more.
Thanks! Let me know if you encounter any trouble with the Barnyard2 output plugin or Bro. I haven't touched the Barnyard2 code in over a year at this point but I'm certainly still willing to make fixes and updates to it.