Dear Team,

I am trying to achieve functionality of the following snort signatures using bro scripts

signature are -

Rule to set the flowbit from snort backdoor.rules
alert tcp $EXTERNAL_NET any → $HOME_NET 20034 (msg:“BACKDOOR NetBus Pro 2.0 connection request”; flow:to_server,established; content:“BN |00 02 00|”; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;)

Rule to check for the flowbit
alert tcp $HOME_NET 20034 → $EXTERNAL_NET any (msg:“BACKDOOR NetBus Pro 2.0 connection established”; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:“BN|10 00 02 00|”; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;)

First one sets a flowbit which is used by second rule for detection

i wrote following script that may help me for the first one

@load base/protocols/conn

event tcp_packet(c:connection,is_orig:bool,flags:string,seq:count,ack:count,len:count,payload:string)
const content1 = /.(BN\x00\x02\x00)/
const content2 =/.
local c1 = sub_bytes(payload,1,6)
if(content1 in c1)
local c2 = sub_bytes(payload,9,2)
if(content2 in c2)

sid 3009 match flow-bit set


So my problem here is how can i do something in bro like setting flowbit in snort that will help me to correlate and detect.


Hi Rahul,

While there are certainly others on the list that could and may answer your question with more specifics, I at least wanted to point out the bro signature framework doc page that should be helpful to you, assuming you are not already aware of it: