Definition of intrusion detection

Vern Paxson vern at
Thu Jul 25 01:05:25 PDT 2002

> Since bro is one of the intrusion detection systems, I decided to
> ask that is there a commonly accepted definition of what an 
> intrusion detection system is?

I view intrusion detection as monitoring activity to detect violations
of *policy*, so this probably fits with:

> Moving away from a simple backdoor detection for example, I think
> intrusion detection becomes more of a political activity.

But more generally, there's a whole spectrum, from detecting attempts to
exploit programming flaws in services, to attempts to exploit application
flaws, to misuse/inappropriate use, to denial of service; to monitoring
activity (network traffic, for a NIDS) simply to understand how resources
are being used.  Bro is meant to be capable of covering this whole range,
though it's better at some than others.


More information about the Bro mailing list