next up previous contents index
Next: Interactive Debugger Up: Signatures Previous: Signature language   Contents   Index


snort2bro

The open-source IDS Snort provides an extensive library of signatures. The Python script snort2bro converts Snort's signature into Bro signatures. Due to different internal architectures of Bro and Snort, it is not always possible to keep the exact semantics of Snort's signatures, but most of the time it works very well.

To convert Snort signatures into Bro's format, snort2bro needs a workable Snort configuration file (snort.cfg) which, in particular, defines the variables used in the Snort signatures (usally things like $EXTERNAL_NET or $HTTP_SERVERS). The conversion is performed by calling snort2bro [-I dir] snort.cfg where the directory optionally given by -I contains the files imported by Snort's include statement. The converted signature set is written to standard output and may be redirected to a file. This file can then be evaluated by Bro using the -s flag or the signatures_files variable.

Deficiency: snort2bro does not know about some of the newer Snort signature options and ignores them (but it gives a warning).



Vern Paxson 2004-03-21