[Bro] need help on bro

jean-philippe luiggi jean-philippe.luiggi at didconcept.com
Fri Nov 9 04:34:05 PST 2007


On Fri, 09 Nov 2007 00:30:11 -0800
Vern Paxson <vern at icir.org> wrote:

> > Yes, it's the same drawback as of signature's NIDS i think
> > (considering the rules as specifications).
> 
> Pretty much.  Two differences are (1) signatures are easy to share,
> since they describe attacks, while specifications aren't, since they
> describe local environments, and (2) signatures are bad at detecting
> unknown types of attack, while specifications can do this quite well.

Sure, it's why i really like the approach used by Bro and specifically
the use of policies. With them, i'm able to define my environment and
to regulate the parameters of detection compared to this last.

> > In all the cases with approachs likes this, we may have to make
> > corrections as with neural networks for example (where we'll have to
> > specify upon a result if it's correct or not).
> 
> Well, then it starts drifting away from specification-based and
> towards anomaly detection.  In true specification-based intrusion
> detection, corrections are done manually, to ensure they correspond
> with intended specification updates.

I agree with you, i was not rather precise in my remarks and was
speaking of anomaly-based detection using something likes ANN
(artificial neural network). :-)

I guess you may have some traffic at Berkeley so how do you manage
defining "allowed" things ?
At first a cartography of flows has being made, then you choose to
"allow" a few of them  and build the specifications ?

Best regards,

Jean-philippe.


More information about the Bro mailing list