[Bro] Missing notifications in Bro

Seth Hall seth at icir.org
Sat Apr 21 04:55:55 PDT 2012

On Apr 21, 2012, at 7:31 AM, Roger Larsen - Høgskolen i Gjøvik wrote:

> I was hoping to compare the detection rate in Bro and Snort regarding some network attacks (using NMAP).

We don't focus heavily on attacks, only where it makes sense for us.  Nmap being using on the network would be detected as a scan and for our 2.0 release we don't have our scan detector in place right now.  It's in our contributed scripts repository and will probably return soon, but for right now it's not in the default distribution.

I will say now though that comparing the detection rate between Snort and Bro is not a good thing to compare.  There is a lot more to Bro than just running it and detecting a single incident of something in a tracefile.

> #1 - How much can Bro's default base installation tell me regarding attack events (notifications)? (I use the fresh Bro 2.0)
> #2 - Can I easily get more notification LOG's from attack events?

Doing a comparison like this is heavily weighted in Snort's favor because you're looking for Bro to do what the Snort community focuses on and not what we focus on.  A poor comparison in the opposite direction would be to see what activity recording logs Snort outputs for various protocols (it doesn't do much), what correlation capabilities it has (it barely has any), or what it's programming programming language can do (it doesn't have one).

Please don't try to compare Bro with Snort in this way.  We would love for you to write a paper involving Bro but not where the comparison is weighted against us from the beginning.  Feel free to follow up if you'd like to search for a more fair comparison together.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list