In addition to the policy language, Bro provides another language which is
specifally designed to define signatures. Signatures precisly describe
how network traffic looks for certain, well-known attacks. As soon as a attack
described by a signature is recognized, Bro may generate an event for this
signature match which can then be analyzed by a policy script.
To define signatures, Bro's language provides several powerful constructs like
regular expressions§
Signatures are independent of Bro's policy scripts and, therefore, are put into their own file(s). There two ways to specify which files contain signatures: By using the -s flag when you invoke Bro, or by extending the Bro variable signatures_files using the += operator. If a signature file is given without a path, it is searched along $BROPATH. The default extension of the file name is .sig which Bro appends automatically.