using YARA signatures within Bro

Hello,

I’m currently using YARA rules (yararules.yar) to inspect files from bro (extract-all-files.bro).

Besides using bro to inspect files with YARA, how can I get bro to use YARA rules to inspect traffic and also certificates?

Thank you for your help. I’m still learning bro and YARA.

-Am

Hey Am,

Hello,

I'm currently using YARA rules (yararules.yar) to inspect files from bro
(extract-all-files.bro).

Besides using bro to inspect files with YARA, how can I get bro to use YARA
rules to inspect traffic and also certificates?

Bro doesn't currently integrate YARA, but there's at least this plugin that pulls YARA file analysis more directly into Bro:

   https://github.com/hempnall/broyara

We're considering expanding Bro's YARA support for file analysis and potentially beyond, though much of that will need work on the YARA side to make it operate in a more streaming-oriented fashion.

We'd definitely like to hear of Bro use cases for YARA that you guys can think of.

Best,
-C.