[Bro] flow-level analysis code

Anton Chuvakin, Ph.D. anton at netForensics.com
Fri Dec 17 12:16:27 PST 2004

>> I am very interested, but it seems that it is somewhat outside the scope
>> of Bro as a classic NIDS. Reading netflow will make no sense (for Bro)
>> since there is no packet contents.

> Actually, I think it does make sense.  Bro can do a fair amount of analysis
> based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
> packet contents.  For example, its scan detection is driven off of this
> level of information.

But where you will take it beyond scans?

Maybe automatic 'stepping stone' detection based on flows? Or flow 
profiling (for backdoors and trojans with new prots)? It looks like it 
will be a very different product as a result.

Also, in this case we will see neither contents nor the header, just the 
fact that seesion took place.

Anton Chuvakin, Ph.D., GCIA, GCIH
Author of "Security Warrior" from O'Reilly - http://www.securitywarrior.com
Security Strategist
Product Management Group
netForensics -  http://www.netForensics.com
The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** netForensics has  scanned this email for viruses, vandals and malicious content. **

More information about the Bro mailing list