[Bro] flow-level analysis code
christian at whoop.org
Sun Dec 19 11:20:16 PST 2004
I think it's important that people take a very open stance when
considering what's useful to Bro. Bro is not just a signature matcher.
As Vern indicated when mentioning scan detection, it's not necessarily
about packet contents -- if you want that and only that then use snort
(after making sure that our Bro rules don't do at least as good a job :)
The protocol headers give you a lot of information when it comes to
inferring communication patterns, communities of interest, connection
behaviour, traffic volume, etc. It all depends on your policy.
Also, Bro's actually on the brink of becoming really quite distributed.
Bro can already exchange essentially arbitrary state with other Bro
nodes (have a look at the remote.bro and listen-ssl.bro policies) --
this includes policies, connection state, policy state, etc. We can do
Bro-Bro handovers, communicate with non-Bro agents, you name it. I'm not
aware of any other system that comes close to this. It's still being
polished and not widely known yet, but it's coming :)
On Sat, 2004-12-18 at 20:09 +0100, jean-philippe luiggi wrote:
> Anton Chuvakin, Ph.D. wrote:
> >> I use Netflow every day and it may be a good thing to use it inside Bro.
> >> Who's interested on this topic ?
> >> I think i (we) may start something.
> > I am very interested, but it seems that it is somewhat outside the
> > scope of Bro as a classic NIDS. Reading netflow will make no sense
> > (for Bro) since there is no packet contents.
> > Best,
> Hello Anton,
> If I'm not wrong Bro just see the 'local' network, it doesn't work likes a
> distributed IDS. On another side, it's sure that using Netflow does not
> give us the ability to see the payload but with Netflow
> - We could see network scan
> - We could see some 'not usual' traffic which may break the security's
> So may be using this feature would give us some new 'nice' informations ?
More information about the Bro