[Bro] need help on bro

kanthi myneni kanthimyneni at gmail.com
Wed Nov 14 09:58:22 PST 2007


Much more specific into specification based.  Like if there is one
specification "a
valid SMTP greeting is no longer than NN bytes long . We need to know
that NN bytes. Similiarly I believe that there are some specifications
built in bro. Is there any way to know more about those specifications
like how threshold is set... Can any one suggest me any reference
which will help me know more about this stuff...


On Nov 9, 2007 7:34 AM, jean-philippe luiggi
<jean-philippe.luiggi at didconcept.com> wrote:
> On Fri, 09 Nov 2007 00:30:11 -0800
> Vern Paxson <vern at icir.org> wrote:
> > > Yes, it's the same drawback as of signature's NIDS i think
> > > (considering the rules as specifications).
> >
> > Pretty much.  Two differences are (1) signatures are easy to share,
> > since they describe attacks, while specifications aren't, since they
> > describe local environments, and (2) signatures are bad at detecting
> > unknown types of attack, while specifications can do this quite well.
> Sure, it's why i really like the approach used by Bro and specifically
> the use of policies. With them, i'm able to define my environment and
> to regulate the parameters of detection compared to this last.
> > > In all the cases with approachs likes this, we may have to make
> > > corrections as with neural networks for example (where we'll have to
> > > specify upon a result if it's correct or not).
> >
> > Well, then it starts drifting away from specification-based and
> > towards anomaly detection.  In true specification-based intrusion
> > detection, corrections are done manually, to ensure they correspond
> > with intended specification updates.
> I agree with you, i was not rather precise in my remarks and was
> speaking of anomaly-based detection using something likes ANN
> (artificial neural network). :-)
> I guess you may have some traffic at Berkeley so how do you manage
> defining "allowed" things ?
> At first a cartography of flows has being made, then you choose to
> "allow" a few of them  and build the specifications ?
> Best regards,
> Jean-philippe.

More information about the Bro mailing list