[Bro] need help on bro

Vern Paxson vern at icir.org
Thu Nov 8 08:15:39 PST 2007

> already be necessary to define what is the normality from a network
> point of view, which is normal for then giving alarms on what leaves the
> framework. 

Yes, this is a powerful approach, and one for which Bro is well suited.
In the research world it's termed specification-based intrusion detection,
but this hasn't yet caught on as a term in the commercial world.


More information about the Bro mailing list