snort, last time I checked, operated on much simpler primitives like regular expressions and static strings.
Bro, on the other hand, is less of a product and more of a framework (think RoR) for studying protocol design and parsing. It's written in pure C++ so it's fast, and a lot of research papers have been written exploring things like programming paradigms for processing network data (functional vs. stream vs. imperative vs. OO), the best way to express exploits and vulnerabilities, efficient ways of tracking and storing protocol state, etc.
I think they're trying to commercialize it into something usable without tons of tuning. A good goal, as it's not that usable for out-of-box IDS/IPS ca. 5 yrs ago.
Bro, on the other hand, is less of a product and more of a framework (think RoR) for studying protocol design and parsing. It's written in pure C++ so it's fast, and a lot of research papers have been written exploring things like programming paradigms for processing network data (functional vs. stream vs. imperative vs. OO), the best way to express exploits and vulnerabilities, efficient ways of tracking and storing protocol state, etc.
I think they're trying to commercialize it into something usable without tons of tuning. A good goal, as it's not that usable for out-of-box IDS/IPS ca. 5 yrs ago.