Bro: a question regarding type
vern at aciri.org
Thu Oct 4 23:50:54 PDT 2001
> I had a general question regarding Bro.
> Can we classify it under Rule based or Anomaly based as usually IDSs are
> classified ?
> I would guess it is a Rule based one. Is there any anomaly detection in
> Bro ?
I think of Bro as somewhat different from both of these notions. The term
I've used is "activity based", meaning that its core notion is to first
describe network activity in generic terms (this is done by the event
engine), and then to compare that activity against a site's local poilcy
for policy violations (done by the script interpreter). That said, it's
in general closer to rule-based than anomaly-based, and a number of the
attacks detected by the default set of scripts are certainly rule-based/
signature-based. But some of its detection, such as stepping stones and
backdoors, is more along the lines of anomaly detection, except you need
to define the "normal" behavior (e.g., which stepping stones and backdoors
are benign) by hand. This isn't fundamental to Bro's design - you could
picture extending it to learn likely normal behavior in this regard - but
it doesn't do so presently.
> When it is stated that an IDS can withstand upto or greater than 'X'
> do we make any assumptions regarding the number of rules in the
> rule-based IDS ?
> I would think as the rules increases, the traffic that the IDS can
> withstand should decrease.
In general, yes, though you look for rules that can be matched in parallel.
For example, by using regular-expression matching, you can look for large
numbers of text patterns in packet payloads or connection byte streams
all at the same time, without having to back up.
More information about the Bro