[Bro] intrusion detection

Seth Hall hall.692 at osu.edu
Fri Oct 23 08:16:08 PDT 2009

On Oct 23, 2009, at 10:19 AM, 阿斯顿飞 wrote:

> I'm a new learner of bro,so I haven't known it well.My question is  
> that the policy script is used to decide what kind of behavior is  
> intusion but what principle should i base on to judge?

The characteristics that you decide to watch for may be extremely  
specific to your environment so scripts may not exist already that  
detect the activity that you are interested in.  However, once you  
learn the language and techniques, it's typically easy to write a  
script or set of scripts to begin monitoring for the activity.   
Primarily, my recommendation (and what we do here) is to sit around  
and talk with colleagues for a while about what network activity is ok  
and what isn't.  This will frequently bring up thoughts about previous  
incidents that have been encountered or even misconfigurations that  
are not compromises but which could be detected by watching network  
traffic.  Once you have a list of tasks to accomplish and activity to  
begin detecting it will at least give you a direction to go and ideas  
for how to construct your scripts.

> If the answer is that bro only provides a platform for the users to  
> detect intrusion according to their own philosophy how does bro do  
> that in its original policy scripts?

The shipped scripts do monitor for some activity such as network/port  
scanning and some possibly undesired application specific activity  
(irc, http, and ftp for example), but the scripts make no assumptions  
about what activity is undesired on your network.  It's your job to  
define your local notice policy to indicate what's "bad" on your  
network.  Robin has a post he wrote about how to use the notice  
framework in Bro to define what's "bad":

He also has some slides from the last workshop where he spoke about  
the notice framework (you'll have to dig through for the notice  
framework part):

I also distribute some scripts that watch for additional activity and  
raise some of their own notices (in addition to logging like crazy):

The most important thing though is that you have to learn the Bro  
scripting language well if you want to be able be really effective  
with Bro.  You are *always* going to find some sort of activity that  
you want to watch for which no one has written a script, or that an  
analyzer doesn't yet exist to even parse the traffic you are most  
interested in.


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list