[Bro] flow-level analysis code
vern at icir.org
Fri Dec 17 11:46:34 PST 2004
> I am very interested, but it seems that it is somewhat outside the scope
> of Bro as a classic NIDS. Reading netflow will make no sense (for Bro)
> since there is no packet contents.
Actually, I think it does make sense. Bro can do a fair amount of analysis
based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
packet contents. For example, its scan detection is driven off of this
level of information.
More information about the Bro