In addition to the policy language, Bro provides another language which is specifally designed to define signatures. Signatures precisly describe how network traffic looks for certain, well-known attacks. As soon as a attack described by a signature is recognized, Bro may generate an event for this signature match which can then be analyzed by a policy script. To define signatures, Bro's language provides several powerful constructs like regular expressions and dependencies between multiple signatures.
Signatures are independent of Bro's policy scripts and, therefore, are put
into their own file(s). There two ways to specify which files contain
signatures: By using the -s
flag when you invoke Bro, or by extending
the Bro variable signatures_files
using the +=
operator.
If a signature file is given without a path, it is searched along
. The default extension of the file name is .sig
which Bro appends automatically.