i'm studying your signature framework
and i've found this explanation
" However, in our experience this didn’t turn out to be a very useful
thing to do because by simply using Snort signatures, one can’t
benefit from the additional capabilities that Bro provides; the
approaches of the two systems are just too different"
I understand that Bro and Snort have different approaches, but if i
need a detailed research on a specific string (for example) should i
write a script?And for several strings?
Which is the best approach to avoid signatures?
You might want to read this paper for more context about Bro's
signature framework: http://www.icir.org/robin/papers/ccs03.ps.
The comment you cite below is not saying signatures that aren't useful
at all in Bro; it's just saying that blindly converting Snort
signatures to Bro signatures hasn't proven to be a very useful thing
to do in practice.
Thanks Robin for your reply.
I've read your paper and i think i've understood why a blindy
convertion is not so useful: one reason is the possible generation of
many false positives(correct me if i'm wrong).
Can you suggest me a repository or a link where i can find signatures
specifically written for Bro?
Bro’s use of signatures is focussed more on protocol identification than on alerting an operator to malicious/benign packets.