a quick doubt reg bro...
vern at icir.org
Mon May 13 12:34:18 PDT 2002
> Bro can be classified as a protocol-analysis NIDS, right ?
> I know it does signature/pattern matching too but
> it does lot of protocol analysis too, right ?
> So is it correct to classify bro more like a protocol
> analysis ids rather than sig-based ?
> it would be GREAT if anyone could drop a quick reply/comment..
The way the Bro paper describes it, Bro is "activity-based" as opposed to
signature-based. It certainly does emphasize detailed protocol analysis.
What I've meant by activity-based is similar to what is recently emerging
in the literature (by others) as "specification-based" intrusion detection,
and that's I think a better term.
So probably the best way to describe it is something like "a specification-
based NIDS that emphasizes detailed protocol analysis, though also capable
of signature-based detection".
More information about the Bro