EmergingThreats> Main Web>EmergingBro (revision 2)EditAttach

Emerging Bro Signatures

Bro is an Open Source IDS similar to Snort, but with a different philosophy. Bro's focus is more on larger level global events and trends rather than byte by byte traffic analysis. It has a very powerful scripting language, but it is capable of many of the detail-oriented matches Snort is famous for.

Because of user interest we've started a signature conversion project to push the most timely, critical, and important Snort-like signatures into a Bro signature set. Many of our users have both systems running on different networks to catch different types of events.

CS Lee has lead the creation of this effort and is it's primary creator. He can be reached at bro@emergingthreats.net.

The signature conversion process has been to some degree automated in the past, but for the time being all signatures are being converted by hand. This reflects the idea that Bro doesn't need an exact replica of the entire running Snort rulesets available. If you need that then you should run Snort. These signatures are being converted to address immediate and timely issues without overwhelming Bro with too many Snort-style signatures.

We are also publishing our RBN (RussianBusinessNetwork), CompromisedHost IPs, SpamHausDROPList, ShadowServerCC?, and DshieldTopAttackers rulesets in Bro format.

A great writeup of the Bro concept and syntax is available here:

http://blog.icir.org/2008/06/bro-signature-engine.html

Bro Reference Manual: Signatures


Converted Rulesets are available at:

http://www.emergingthreats.net/bro/

and Bro Firewall Rulesets are at:

http://www.emergingthreats.net/fwrules

-- MattJonkman - 26 Jun 2008

Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2008-06-26 - CsLee
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats