[Bro] flow-level analysis code

Vern Paxson vern at icir.org
Fri Dec 17 11:46:34 PST 2004

> I am very interested, but it seems that it is somewhat outside the scope 
> of Bro as a classic NIDS. Reading netflow will make no sense (for Bro) 
> since there is no packet contents.

Actually, I think it does make sense.  Bro can do a fair amount of analysis
based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
packet contents.  For example, its scan detection is driven off of this
level of information.


More information about the Bro mailing list