The open-source IDS Snort provides an extensive library of signatures. The Python script {snort2bro} converts Snort's signature into Bro signatures. Due to different internal architectures of Bro and Snort, it is not always possible to keep the exact semantics of Snort's signatures, but most of the time it works very well.
To convert Snort signatures into Bro's format, snort2bro
needs a
workable Snort configuration file (snort.cfg
) which, in particular,
defines the variables used in the Snort signatures (usally things like
$EXTERNAL_NET
or $HTTP_SERVERS
). The conversion is
performed by calling snort2bro [-I
dir] snort.cfg
where the
directory optionally given by -I
contains the files imported by
Snort's include
statement. The converted signature set is written to
standard output and may be redirected to a file. This file can then be
evaluated by Bro using the -s
flag or the signatures_files
variable.
Deficiency:snort2bro
does not know about some of the newer Snort signature options and ignores them (but it gives a warning).