> already be necessary to define what is the normality from a network > point of view, which is normal for then giving alarms on what leaves the > framework. Yes, this is a powerful approach, and one for which Bro is well suited. In the research world it's termed specification-based intrusion detection, but this hasn't yet caught on as a term in the commercial world. Vern