Hi,
Congratulations Bro Team for a new version 1.4 !
I expected than bro is not a snort rules parser, but its interesting porting snort rules directly to bro...
Im interested by update snort2bro signature, Im known snort rules, but I don't known how its implemented on bro script!
Anyone interested ?
First question: bro contains two script, one in perl and one in python,
what is the "best" ?
Second question: function not supported:
1)byte_test() is not supported, but it is possible bro contains similar function ?
2)byte_jump() is not supported, but it is possible bro contains similar function ?
Regards
Rmkml
Crusoe-Researches.com
First question: bro contains two script, one in perl and one in python,
Which Perl script are you refering to?
1)byte_test() is not supported, but it is possible bro contains similar function ?
2)byte_jump() is not supported, but it is possible bro contains similar function ?
No, sorry, there is no such functionality yet.
Robin
Hi Robin,
thx for reply,
bro-1.4/scripts/s2b/bin/s2b.pl ?
do you known if it is possible adding this features ?
Regards
Rmkml
Crusoe-Researches.com
two function like exist on bro policy but not avalaible for signatures ?:
-snort threshold()
=> it appears (*count*) on policy/signatures.bro but not on src/rule-scan.l ?
-snort flowbits:noalert
=> it appears (SigAction: SIG_QUIET) on policy/signatures.bro but not on src/rule-scan.l ?
Regards
Rmkml
Crusoe-Researches.com
bro-1.4/scripts/s2b/bin/s2b.pl ?
Ah, I see. That is actually a wrapper around the Python snort2bro
which does some stuff on top of it.
do you known if it is possible adding this features ?
Not sure. These options, iirc, are using packet-semantics which are
hard to emulate in Bro's stream-model. They might be some
approximation though which works suffiently well, don't know.
Robin