Emerging Bro Signatures

Bro is an Open Source IDS similar to Snort, but with a different philosophy. Bro is not primarily intended to do byte-wise signature matching like Snort does. Bro works much more at the application-analysis level, including forms of analysis across multiple connections and hosts. It's a great tool, very powerful and used in many of the largest networks around the world, especially the gov't sector. It has a very powerful scripting language, but it is capable of many of the detail-oriented matches Snort is famous for.

You can learn more about Bro here -- http://www.bro-ids.org .

Because of user interest we've started a signature conversion project to push the most timely, critical, and important Snort-like signatures into a Bro signature set. Many of our users have both systems running on different networks to catch different types of events.

CS Lee has lead the creation of this effort and is it's primary creator. He can be reached at bro@emergingthreats.net.

The signature conversion process has been to some degree automated in the past, but for the time being all signatures are being converted by hand. This reflects the idea that Bro doesn't need an exact replica of the entire running Snort rulesets available. If you need that then you should run Snort. These signatures are being converted to address immediate and timely issues without overwhelming Bro with too many Snort-style signatures.

We are also publishing our RBN (RussianBusinessNetwork), CompromisedHost IPs, SpamHausDROPList, BotCC, and DshieldTopAttackers rulesets in Bro format.

A great writeup of the Bro concept and syntax is available here:

http://blog.icir.org/2008/06/bro-signature-engine.html

Bro Reference Manual: Signatures


Converted Rules are available at:

http://www.emergingthreats.net/bro/

And more detail under AllRulesets

A post from the Bro team is here: http://blog.icir.org/2008/06/emerging-bro-project.html

-- MattJonkman - 26 Jun 2008

Topic revision: r5 - 2012-04-04 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats