Snort signature

Antonatos_Spiros · November 19, 2002, 2:57pm

I used snort2bro and converted snort signatures into a snort.bro file
I gave bro snort.bro but it says
./snort.bro, line 1 (rule): error, undeclared variable

What should I do?

Antonatos Spiros

robin · November 19, 2002, 3:51pm

Currently, snort2bro needs a full Snort configuration (snort.cfg)
incl. variable definitions. Perhaps you've tried to convert only the
signatures themselves without the surrounding definitions given in
snort.cfg?

Robin

robin · November 19, 2002, 4:28pm

In addition (because, as it seems, it's not snort2bro which
complains but Bro itself): How did you call Bro? You need to specify
the converted signature file via the -s option as it's not a Bro
policy script.

Eventually, I will write some documentation of the signature
engine...

Robin

Antonatos_Spiros · November 19, 2002, 4:31pm

thanks for your interest. i didn't see the -s option and i was giving
the rules file as a policy script. BTW, bro performs strings searching
by using an automaton?

Antonatos Spiros

robin · November 21, 2002, 8:14am

Yes, it compiles the regular expressions into DFAs.

Robin

Topic		Replies	Views
Snort to Bro Zeek	1	54	May 6, 2022
A question about loading signature files Zeek	6	59	May 6, 2022
is snort2bro missing from 0.9-current Zeek	1	66	May 6, 2022
False positive Zeek	4	54	May 6, 2022
Snort to Bro Zeek	4	106	May 6, 2022

Snort signature

Related Topics