for testing purposes, I want to run Bro with signatures (similar to Snort).
On https://www.bro.org/sphinx/frameworks/signatures.html it is described how to configure bro to use a signature file.
However, I did not find a sample signature file. Also, it is stated that Snort signatures can no longer be transfered to Bro.
Is there another way to (easily) import a bulk of the most common signatures? Is there any example file?
If you look under policy/frameworks/signatures/detect-windows-shells.sig:
You’ll find an example signature that ships with Bro. Additionally, each protocol analyzer is enabled by a signature used in the dynamic protocol detection (dpd) process; for example please see http’s signature:
There are a lot of novel uses of signatures in Bro; in Jon bitcoin mining protocol detection he uses a signature to enable an analysis process:
Many of the “signatures” you would use to find basic indicators of compromise (domains, ip addresses, file hashes, etc) are handled by the intelligence framework: