Bro Signatures

Hi,

I am trying to compare Snort and Bro IDS on the basis of signatures/rules.Is there any repository for Bro rules/signatures? I haven’t got any signatures examples online. It would be a great help if you could suggest some signatures to find basic attacks.

Thank you
Bibin Koshy

Bro doesn’t really work that way, so it would be hard to make that comparison. https://www.bro.org/sphinx/frameworks/signatures.html#so-how-about-using-snort-signatures-with-bro

Bro does have the concept of signatures, it’s just used in a way that is very different than Snort would. It may make sense to read more of https://www.bro.org/sphinx/frameworks/signatures.html

There is also this - https://github.com/corelight/bro-protosigs - for using signatures in bro to do simple detection of some protocols, but it definitely isn’t meant to work in the way Snort signatures would.

Jon

You may also want to check out what bro ships with here - https://github.com/bro/bro/tree/master/scripts

And what is available as bro packages (a new-ish platform for sharing bro ‘things’) - https://github.com/bro/packages

Jon

Hi,

I tried running bro using the signature file i created. It outputs conn.log, notice.log, weird.log and other files. I just didnt get the signature.log file which is what i am looking for. I am sure i have a fair amount of signatures defined at least to find one alert/alarm on the pcap file i am using. Is there anything that can be done. Like should there be any scripts i need to @load to my local.bro file to output the signature.log file?

Thank you