[Bro] need help on bro

jean-philippe luiggi jp.luiggi at free.fr
Thu Nov 8 18:38:59 PST 2007

Hello Everybody,

On Thu, 08 Nov 2007 12:30:08 -0800
Vern Paxson <vern at icir.org> wrote:

> > > already be necessary to define what is the normality from a
> > > network point of view, which is normal for then giving alarms on
> > > what leaves the framework. 
> > 
> > Yes, this is a powerful approach, and one for which Bro is well
> > suited. In the research world it's termed specification-based
> > intrusion detection, but this hasn't yet caught on as a term in the
> > commercial world.
> Let me be a bit more precise.  You don't define what is *normal*, but
> rather what is *allowed* (including rare-but-okay forms of activity).
> So you form a specification of allowed behavior and flag any activity
> that doesn't comply with it.

Ok, i understand the difference and this makes sense.

> The main drawback of this approach is that it takes considerable
> manual effort to form the specifications and keep them up to date.

Yes, it's the same drawback as of signature's NIDS i think (considering
the rules as specifications).
And it's why i use Bro for some times. :-)

> (If instead you automatically learn the specifications, then you're
> back to doing anomaly detection.)

Speaking of specifications here, do you mean all the traffic ?

In all the cases with approachs likes this, we may have to make
corrections as with neural networks for example (where we'll have to
specify upon a result if it's correct or not).

Best regards,


More information about the Bro mailing list