[Bro] flow-level analysis code

Vern Paxson vern at icir.org
Sat Dec 18 18:02:47 PST 2004

> > Actually, I think it does make sense.  Bro can do a fair amount of analysis
> > based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
> > packet contents.  For example, its scan detection is driven off of this
> > level of information.
> But where you will take it beyond scans?

As Jean-Philippe mentioned in his reply, you can use it for forms of
analysis along the lines of "host A contacted host B and host B replied,
is that allowed?"  For some forms of contact, you can't really do this
without having packet contents, since host B may have replied at the app
layer saying "I refuse to talk to you", but for other forms you can tell
if proscribed communication occurred just by the volumes of data transferred
in each direction.

> Maybe automatic 'stepping stone' detection based on flows? Or flow 
> profiling (for backdoors and trojans with new prots)?

Yes, for some of that too.  I'm also working with some students on detecting
some other types of anomalies that indicate likely attacks that work at
this level.


More information about the Bro mailing list