[Bro] need help on bro

Vern Paxson vern at icir.org
Fri Nov 9 00:30:11 PST 2007

> Yes, it's the same drawback as of signature's NIDS i think (considering
> the rules as specifications).

Pretty much.  Two differences are (1) signatures are easy to share, since
they describe attacks, while specifications aren't, since they describe
local environments, and (2) signatures are bad at detecting unknown types
of attack, while specifications can do this quite well.

> Speaking of specifications here, do you mean all the traffic ?

Yes, ideally.

> In all the cases with approachs likes this, we may have to make
> corrections as with neural networks for example (where we'll have to
> specify upon a result if it's correct or not).

Well, then it starts drifting away from specification-based and towards
anomaly detection.  In true specification-based intrusion detection,
corrections are done manually, to ensure they correspond with intended
specification updates.


More information about the Bro mailing list