bro comparison to snort operation

Hello Group,
I need some clarification. I am trying to understand the operations of Bro and it relates to how snort operates. I am having a little trouble with a few things.

1.Where are default rules/signatures/scripts stored in the folder structure?
2. What log file are we supposed to pay attention to? Communication, Notices, Weird or all of them?
3. Where do we place custom bro scripts we write?
4. Is there a skeleton of a basic script somewhere so I know where to start?
5. Where in Bro to I specify sending the data to an external ELSA server?

Thanks for your help!

John,

1. The default policies are underneath $BROHOME/share/bro/, but keep in mind you should never edit these policy files.
2. That’s tough to answer because that’s really up to you. You can look at whatever log you find most helpful, depends on the situation. Maybe if you could clarify what you are hoping to find, we can help point you to the correct log.
3. Site specific policies go in the $BROHOME/share/bro/site as this directory does not get overwritten on updates, meaning your policies will persist.
4. Personally, I found it best to look at the default policies (which you can find here: http://www.bro.org/sphinx/scripts/index.html), as well as here: https://github.com/languages/Bro
5. That I’m not sure of sorry.

-Sam

I need some clarification. I am trying to understand the operations of Bro and it relates to how snort operates. I am having a little trouble with a few things.

Don't try to draw those comparisons. They're only going to lead to confusion for you.

1.Where are default rules/signatures/scripts stored in the folder structure?

<prefix>/share/bro

2. What log file are we supposed to pay attention to? Communication, Notices, Weird or all of them?

Any and all logs could be important depending on what you're investigating. Certain logs like communication.log, notice_policy.log, and loaded_scripts.log are Bro doing some internal accounting so that if you have questions about how it's behaving you may be to figure that out.

In "normal" operation the weird log tends to be of less value too (please correct me if someone uses that a lot!). Typically the most important logs are the ones that provide some sort of network activity logging (i.e. http.log, smtp.log, conn.log, dns.log, software.log, etc)

3. Where do we place custom bro scripts we write?

I typically recommend that people place scripts into <prefix>/share/bro/site/ and use the local.bro script in that directory to load their scripts.

4. Is there a skeleton of a basic script somewhere so I know where to start?

I would take a look at the scripts in <prefix>/share/bro/policy/ (there are quite a few) to get a general feel of the land. That directory and all of it's subdirectories are where most of the scripts are that detect various things.

5. Where in Bro to I specify sending the data to an external ELSA server?

That is something you'll have to do outside of Bro. We don't have any direct integration at this point in time. The SecurityOnion project should be able to provide some guidance there since they ship with Bro logs integrated in ELSA

  .Seth

Thank you Seth and Samuel. I appreciate the help.