[Bro] flow-level analysis code
vern at icir.org
Sat Dec 18 18:06:45 PST 2004
> If I'm not wrong Bro just see the 'local' network
More precisely, just see what transits whatever link(s) for which it has
taps. Also, the ability of Bro's to exchange events allows a broader set
of perspectives to be integrated, though we haven't put this together
operationally yet (we will soon). In addition, the Bro client library
(Broccoli) allows integration of host events into the network analysis.
One interesting example here is an sshd instrumented to tell Bro about
authentication attempts/successes, as well as possibly sending it the clear
text of a login session (yes, a scary thought!; this happens over SSL, not
in the clear, but still gives some people the heeby-jeebies). We have
a prototype of that pretty much done.
More information about the Bro