Hi Matthieu,
I am not aware of any source available for Bro signatures (rules, if that’s what you meant),
however, there used to be a script snort2bro that converted snort signatures/rules to corresponding Bro sigs, but not maintained anymore.
Not sure what you are looking to solve, but if you know what you are searching for in your traffic,
then you might want to take a look at the Bro’s Signature Language, to write your own signatures.
Here’s the link: https://www.bro.org/sphinx/frameworks/signatures.html
Hope this helps.
-Fatema
Hi
Thank you for your reply.
Yes I know snort2bro, but I use Snort or Suricata for this rules.
I was hoping there was a Bro rules contribution available on the Internet.
Generic rules that answer to the actuality like WannaCry (SMB) …
Matthieu
Then, I think you might want to look at the Bro scripting language,
although still you have to script what you are looking for.
Bro has started this awesome Bro-pkg manager project, which is similar to a central repository,
for hosting the various Bro scripts that community can get benefit from:
Here’s the list of packages, available for the community to download and install:
https://github.com/bro/packages
Also, there are many individual Bro scripts available on github.
If interested, there’s this script from Fox-IT regarding ransomeware detection using SMB:
https://github.com/fox-it/bro-scripts/tree/master/smb-ransomware
-Fatema.
I also suggest looking at Bro’s Intelligence Framework, https://www.bro.org/sphinx-git/frameworks/intel.html. This is how Bro consumes and makes use of threat intel indicators, which is essentially what the ET rule feeds contain.
There are many intel indicator sources available, some require more effort than others to integrate. As mentioned some tools exist that can help with that. If you’re looking for an indicator source(s), Criticalstack offers a free feed aggregation service that directly integrates with Bro’s Intel Framework. It’s easy to use and a good tool for quickly getting external indicator sources in. Worth a look if you’re exploring how threat intel, supplementary to ET rule feeds, can be used.
Adam
Hi
Hi Adam
This is what I am looking for. I am trying the API Cristalstack.
Thank you very much.
Matthieu
It has been discussed several times about “signatures”, and what it seems folks would love to do is take Snort/Suricata rules and throw them into Bro.
I think the Intel framework would work be a good place to get quick wins with the conversion, but I have never used the signature features in Bro, as a the first rule of fight club is to never use it.
I think there may be different avenues to achieve similar functionality to signature based IDS engines, just requires time to figure it out.