Emerging Threats

  • Increase font size
  • Default font size
  • Decrease font size

New Project: Emerging-Bro

Monday, 30 June 2008 09:09 Matt Jonkman
E-mail Print PDF

By request we've a new project to share with you. CS Lee has lead the drive to get this going and is doing the heavy lifting in making it happen.

What we are starting is a Bro Signature repository. We have many ET users already familiar with Bro. Over the last few months I've had a number of requests that some of our sigs be converted to Bro as many use both tools in different parts of their networks. Thanks to CS Lee for stepping up to lead this and get the work done.

As many of you know, Bro is not primarily intended to do byte-wise signature matching like Snort does. Bro works much more at the application-analysis level, including forms of analysis across multiple connections and hosts. It's a great tool, very powerful and used in many of the largest networks around the world, especially the gov't sector. You can learn more about Bro here -- http://www.bro-ids.org

This project, nicknamed Emerging-Bro, is NOT going to be a full sig-for-sig conversion of our entire ET ruleset to Bro. It will NOT be an automated conversion script. Bro does not need an entire Snort ruleset converted to it, it looks for many very different things. But there are some thing we can contribute, especially high-profile current threats. CS Lee intends to convert the most important, and high-threat signatures to Bro as needed.

He of course can use some help. If you're a Bro user or have some experience please hop in and help out. You can contact him at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

You can view the signatures already available here:

http://www.emergingthreats.net/bro/

For the time being we'll have normal bro discussions on the emerging-sigs list, as most issues should be relevant to the same rule in both formats. But if there's a need we'll spin off a new list for bro specific discussions.

We will also have available versions of our IP lists (RBN, Bot CnC, Spamhaus DROP, and others) available in that directory, updated daily as usual.

If you have questions or sigs to go specifically to bro please email CS Lee at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or the usual address This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

 

And a post from the Bro Blog:

http://blog.icir.org/2008/06/emerging-bro-project.html

< Prev   Next >
Last Updated ( Monday, 30 June 2008 13:49 )  

Funded!
Emerging Threats has been grant funded! We're here to stay for the long term!