[Bro] Tuning Bro

Sravan Bhamidipati bsravanin at gmail.com
Wed Jul 18 22:07:22 PDT 2012

On Wed, Jul 18, 2012 at 8:43 PM, Seth Hall <seth at icir.org> wrote:

> On Jul 18, 2012, at 5:24 PM, Sravan Bhamidipati wrote:
> > 2. From my layman's understanding, given a PCAP, the larger the window
> of time and the number of packets that a system looks at the more accurate
> its detection could be, the tradeoff being that of memory/performance. (I
> guess there won't be any packet dropping when reading PCAPs.) Is that true?
> There definitely won't be any packet loss when reading from a tracefile.
>  I don't understand the rest of what you are saying, it mostly comes down
> to a question of if your host's CPU is overwhelmed or not.  If it's
> overwhelmed then you will drop packets on your NIC.  If you run out of
> memory then Bro will crash because it can't allocate any more memory.

What I mean is the following. Suppose an attack involves sending n packets.
Suppose the alarm related to that attack is set to trigger when the IDS
sees m packets within a time interval t. (I guess alarms for portscans are
defined in such a way.) Then the attacker could send the n packets at a
slower rate to avoid detection through the alarm. If t is set to a larger
value, then the slower attacks could also be detected. Something along the
lines of: greater the history maintained, greater the context and greater
the possibility of detecting an attack. Does this make sense?

> , or the number of packets that Bro simultaneously analyzes. (Snort has
> some parameters along these lines.)
> I don't understand this comment.
> > 4. How does Bro handle packet defragmentation and stream reassembly? Is
> there documentation for the internals, about the various components and
> analyzers and how they analyze traffic? I am looking for a basic
> understanding.
> Most of it is documented with various settings here:
>   http://bro-ids.org/documentation/scripts/base/init-bare.html
> There are a lot of settings in there, but look for things like "tcp" and
> "defrag".

Thank you very much. This looks like a good start.

>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120719/1f430b9a/attachment.html 

More information about the Bro mailing list