I’m a Bro newbie and I’ve been tasked to look at using Bro to perform analysis on Pcap files. We’d like to utilize some existing Snort rules in this analysis. A number of the Snort rules contain “offset” and “depth” parameters. I’d appreciate some advice on how to accomplish doing these Snort alerts in Bro.
Thanks – Jon
As a fellow newbie, I feel the best answer is “don’t”.
To me, Bro seems better suited for flow like analysis, not byte-by-byte packet analysis.
Yes, use Suricata or Snort for Snort rule analysis, and combine the output there with Bro output. That will give you great data to supplement the IDS alerts and will be most efficient both in CPU time and human time.