" However, in our experience this didn’t turn out to be a very useful
thing to do because by simply using Snort signatures, one can’t
benefit from the additional capabilities that Bro provides; the
approaches of the two systems are just too different"
I understand that Bro and Snort have different approaches, but if i
need a detailed research on a specific string (for example) should i
write a script?And for several strings?
Which is the best approach to avoid signatures?
Thanks
The comment you cite below is not saying signatures that aren't useful
at all in Bro; it's just saying that blindly converting Snort
signatures to Bro signatures hasn't proven to be a very useful thing
to do in practice.
Thanks Robin for your reply.
I've read your paper and i think i've understood why a blindy
convertion is not so useful: one reason is the possible generation of
many false positives(correct me if i'm wrong).
Can you suggest me a repository or a link where i can find signatures
specifically written for Bro?
Thanks
Vito