[Bro] need help on bro

Vern Paxson vern at icir.org
Thu Nov 8 12:30:08 PST 2007

> > already be necessary to define what is the normality from a network
> > point of view, which is normal for then giving alarms on what leaves the
> > framework. 
> Yes, this is a powerful approach, and one for which Bro is well suited.
> In the research world it's termed specification-based intrusion detection,
> but this hasn't yet caught on as a term in the commercial world.

Let me be a bit more precise.  You don't define what is *normal*, but
rather what is *allowed* (including rare-but-okay forms of activity).
So you form a specification of allowed behavior and flag any activity
that doesn't comply with it.

The main drawback of this approach is that it takes considerable manual
effort to form the specifications and keep them up to date.  (If instead
you automatically learn the specifications, then you're back to doing
anomaly detection.)


More information about the Bro mailing list