Node: Signatures, Next: , Previous: Notice Actions, Up: Customizing Bro



Signatures

NOTE: this section rough and somewhat in flux

Signatures in Bro are quite different than standard packet matching signatures such as those used in Snort. A Bro signature, or Rule, is a contextual signature that can include connection-level information. Hence Bro signatures generate far fewer false positives.

For example, an packet-level signature of a HTTP attack only looks at the attack packet, where the Bro contextual signature also looks for the HTTP reply, and only generates an alarm if the attack was successful.

In this section we explain how to customize signatures for your site, and how to import new signatures from Snort and bro-ids.org. More information on the details of Bro signatures are in the signature section of the reference manual.

The following files are used to control and customize Bro signatures.

Files in $BROHOME/policy contain the default Bro signatures, and should not be edited. Files in $BROHOME/site contain files you will use to customize signatures for your site. New signatures that you write go here too. All files ending in .sig in this directory will be loaded into the signature engine. In fact, all .sig files in any directory in $BROPATH (set in $BROHOME/etc/bro.cfg) will be loaded.