Using snort signatures in Bro

Bryan November 8, 2004, 2:23am 1

Hello all,

I need to compare how bro and snort handle attacks in traffic captures.
I have my snort "sig" files, but I don't know the proper syntax of the
command line statement.

I used snort2bro to read my snort.conf file and the result was a file
with a number of bro signatures that I called snort.sig:

signature sid-xxx {
:
:
}

Can anyone help? I am using bro 0.8. I need to call the .sig file and
read my tcpdump capture file at the same time.

Thanks,
Bryan
Florida Tech

robin November 8, 2004, 7:42am 2

Try something like this (assuming snort.sig being in your current
directory):

bro -r trace -s ./snort.sig site snort signatures

(Don't forget to adapt site.bro to your local environment).

Robin

Topic		Replies	Views	Activity
comparing Bro Zeek	1	50	May 6, 2022
load snort signature in bro Zeek	1	91	May 6, 2022
Snort 2 Bro Utility Zeek	2	70	May 6, 2022
Bro Signatures Zeek	4	78	May 6, 2022
Off-line analysis Zeek	1	75	May 6, 2022