a quick doubt reg bro...

Vern Paxson vern at icir.org
Mon May 13 12:34:18 PDT 2002

> Bro can be classified as a protocol-analysis NIDS, right ?
> I know it does signature/pattern matching too but
> it does lot of protocol analysis too, right ?
> So is it correct to classify bro more like a protocol
> analysis ids rather than sig-based ?
> it would be GREAT if anyone could drop a quick reply/comment..

The way the Bro paper describes it, Bro is "activity-based" as opposed to
signature-based.  It certainly does emphasize detailed protocol analysis.

What I've meant by activity-based is similar to what is recently emerging
in the literature (by others) as "specification-based" intrusion detection,
and that's I think a better term.

So probably the best way to describe it is something like "a specification-
based NIDS that emphasizes detailed protocol analysis, though also capable
of signature-based detection".


More information about the Bro mailing list