[Bro] need help on bro
jp.luiggi at free.fr
Thu Nov 8 18:38:59 PST 2007
On Thu, 08 Nov 2007 12:30:08 -0800
Vern Paxson <vern at icir.org> wrote:
> > > already be necessary to define what is the normality from a
> > > network point of view, which is normal for then giving alarms on
> > > what leaves the framework.
> > Yes, this is a powerful approach, and one for which Bro is well
> > suited. In the research world it's termed specification-based
> > intrusion detection, but this hasn't yet caught on as a term in the
> > commercial world.
> Let me be a bit more precise. You don't define what is *normal*, but
> rather what is *allowed* (including rare-but-okay forms of activity).
> So you form a specification of allowed behavior and flag any activity
> that doesn't comply with it.
Ok, i understand the difference and this makes sense.
> The main drawback of this approach is that it takes considerable
> manual effort to form the specifications and keep them up to date.
Yes, it's the same drawback as of signature's NIDS i think (considering
the rules as specifications).
And it's why i use Bro for some times. :-)
> (If instead you automatically learn the specifications, then you're
> back to doing anomaly detection.)
Speaking of specifications here, do you mean all the traffic ?
In all the cases with approachs likes this, we may have to make
corrections as with neural networks for example (where we'll have to
specify upon a result if it's correct or not).
More information about the Bro