[Bro] Questions

Vern Paxson vern at icir.org
Mon Dec 27 22:44:59 PST 2004

> - i'm not quite sure about the future plans of bro. will there be
> a lot of big changes from now to the release of 1.0? incompatibilities?

We don't have a precise roadmap, but of the anticipated changes, I don't
think any upcoming ones would be viewed as "big" for most Bro users.  There
also will be some incompatibilities, but likewise I don't imagine these
will be viewed as major by most Bro users.

> - there exists a detection method which is based on the entropy of
> ip headers (tuple: src, dst, src_port, dst_port). the algorithm stores 
> this table of tuples every minute in a file and compresses it using
> the LZO-compression-algorithm. then the size of the file is an indicator
> for network anomalies.

(Hmmmm, that seems a lot more coarse-grained than something like Bro's
TRW detector ....)

> now my question: how can i best implement this with bro? how can i use
> the lzo-algorithm (which is available in C, java, perl...) to compress
> my file every minute and get back the resulting file size?

If you really want to do that, the natural way would be to add it as a
built-in function (see src/bro.bif for how these are defined).  Ideally,
the function would compute it in an incremental fashion, so the result can
be updated a piece at a time in real-time.  Computing it in a batch every
minute or so, with a corresponding large CPU burst required, is not in
keeping with real-time analysis & detection.


More information about the Bro mailing list