Emerging Bro Signatures
is an Open Source IDS similar to Snort, but with a different philosophy. Bro is not primarily intended to do byte-wise signature matching like Snort does. Bro works much more at the application-analysis level, including forms of analysis across multiple connections and hosts. It's a great tool, very powerful and used in many of the largest networks around the world, especially the gov't sector. It has a very powerful scripting language, but it is capable of many of the detail-oriented matches Snort is famous for.
You can learn more about Bro here -- http://www.bro-ids.org
Because of user interest we've started a signature conversion project to push the most timely, critical, and important Snort-like signatures into a Bro signature set. Many of our users have both systems running on different networks to catch different types of events.
CS Lee has lead the creation of this effort and is it's primary creator. He can be reached at firstname.lastname@example.org.
The signature conversion process has been to some degree automated in the past, but for the time being all signatures are being converted by hand. This reflects the idea that Bro doesn't need an exact replica of the entire running Snort rulesets available. If you need that then you should run Snort. These signatures are being converted to address immediate and timely issues without overwhelming Bro with too many Snort-style signatures.
We are also publishing our RBN (RussianBusinessNetwork
, and DshieldTopAttackers
rulesets in Bro format.
A great writeup of the Bro concept and syntax is available here:
Bro Reference Manual: Signatures
Converted Rules are available at:
And more detail under AllRulesets
A post from the Bro team is here:
- 26 Jun 2008