[Bro] mod_security and bro

Vern Paxson vern at icir.org
Mon Nov 20 19:00:21 PST 2006

> think I'd prefer to keep the detection mechanism inside Bro as
> otherwise this might get tricky to use/setup/maintain (what happens
> with alerts? Are they going to be fed back to Bro?). 

*Yes*, please let's strive for this whenever possible.  It makes a major
difference in the long run, when we (very often) find that the standalone
detector isn't by itself actionable, but could be if combined with additional
information/policy analysis - which Bro is much better at doing than in
an ad hoc basis inside the standalone detector.


More information about the Bro mailing list