Hi, i can’t use snort2bro.
I follow the wiky instruction (http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro) but it say: snort2bro command not found.
I know that it has to be already installed with bro, but if i give “locate snort2bro”, i can’t find it.
How can i use it?
thanks
Paolo Tironi
i’ve just resolved the problem.
Now i understand how to use s2b and i’ve just convert a snort rule in a bro policy. I redirected the stdout to a file .bro. The result is a file with many row of code, but i can’t use it as a bro policy (error: unknown idetifier signature, at or near “signature”).
The structure of the file is:
signature 549-8 {
ip-proto == tcp
src-ip == local_nets
dst-ip != local_nets
dst-port == 8888
tcp-state established,originator
event “P2P napster login”
payload /.*\x00\x02\x00/
}
this is not equal to a classic bro policy.
How can i use it to create my own policy?
Thaks
Paolo Tironi
2008/7/17 Paolo Tironi <paolo.tironi85@gmail.com>:
Hi Paolo,
signature 549-8 {
ip-proto == tcp
src-ip == local_nets
dst-ip != local_nets
dst-port == 8888
tcp-state established,originator
event "P2P napster login"
payload /.*\x00\x02\x00/
}
this is not equal to a classic bro policy.
How can i use it to create my own policy?
You can write your own Bro policy script which defines a
signature_match event handler for signatures to catch specifically
this signature on your own (the signature_match event is triggered
for every signatures mathing but it receives a signature_state
parameter which contains the id of the signature being matched. In
you case it'd be 549-8).
Alternatively, just uncomment brolite-sigs (i.e., @load it) in your
host file generated when Bro was installed (it's usually in
site/<hostname>.bro). I suggest you to read brolite-sigs.bro as well
as you may also want to redefine signature_files to include your own
signature file.
Also, take a look at
http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures
bye,
Lorenzo