[Bro] mod_security and bro
vern at icir.org
Mon Nov 20 19:00:21 PST 2006
> think I'd prefer to keep the detection mechanism inside Bro as
> otherwise this might get tricky to use/setup/maintain (what happens
> with alerts? Are they going to be fed back to Bro?).
*Yes*, please let's strive for this whenever possible. It makes a major
difference in the long run, when we (very often) find that the standalone
detector isn't by itself actionable, but could be if combined with additional
information/policy analysis - which Bro is much better at doing than in
an ad hoc basis inside the standalone detector.
More information about the Bro