signatures: pros/cons, future plans for bro

Hello Bro users,

I'm currently reviewing opensource IDS for usage at an ISP.
I really like bro clean and well thought design and implementation (C++
source code is really clean, especially when compared to snort C's which
looks messy, TCP stream reconstruction was there way before snort, it's
implemented in 5 times less kB of source code than snort etc...)

But the needs of an IDS at an ISP may be a bit different than at an
EDU/R&D site like Bro seems to have been designed for.

Having a signature matcher is a must at an ISP: having a set of
signature matching against the latest PHP whatever apps vulnerability in
front of a hosting room for example.

Bro does support it, but rather badly: there's a really good, custom
built stream based regexp matcher, but the set of signature is the one of snort,
using a pair or perl/python script to convert it.

Conversion, between two different semantic pattern matcher leads to
errors: in the snort2bro generated file, you'll see a lot of
# Not supported
line about string position or regexp syntax.

My question is: is there plan to have a better support of bro signature,
by improving snort2bro and/or modifiying the bro pattern matcher to be
closer than snort one?

Is there needs in the bro users community that match the ones I
describe?

Also, I've read somewhere of futures plan to have netflow support, what
is the plan (the idea is very good: coarse grained unsual flow detection
using netflow, the refined analysis thru bro)

Regards.

Hi Philippe,

great yo hear you guys are considering Bro.

Conversion, between two different semantic pattern matcher leads to
errors: in the snort2bro generated file, you'll see a lot of
# Not supported
line about string position or regexp syntax.

You're absolutely right. I don't recommend using snort2bro anymore,
it's outdated and doesn't support many of Snort's new options.

My question is: is there plan to have a better support of bro signature,
by improving snort2bro and/or modifiying the bro pattern matcher to be
closer than snort one?

No, not on our side, we don't maintain it anymore. For our setups,
we have decided that converting Snort rules is not really worth the
trouble; we don't get enough benefit out of them. (YMMV.)

Is there needs in the bro users community that match the ones I
describe?

A few folks have expressed interest in the past in bringing
snort2bro back to live. If somebody were to take over snort2bro
development, I'm sure the Bro community would appreciate that.

(I actually once started to build a better
snort-regexp-to-bro-regexp converter but I'm afraid I lost the code;
can't find it anymore :frowning: )

Also, I've read somewhere of futures plan to have netflow support, what
is the plan (the idea is very good: coarse grained unsual flow detection
using netflow, the refined analysis thru bro)

There's experimental NetFlow support, written by Bernhard Ager, in
my working branch. I plan to write a few words about how to use it
on the ICSI blog sometime soon.

Robin