[Bro] Tuning Bro

Sravan Bhamidipati bsravanin at gmail.com
Thu Jul 19 10:15:32 PDT 2012

On Thu, Jul 19, 2012 at 8:58 AM, Seth Hall <seth at icir.org> wrote:

> On Jul 19, 2012, at 1:07 AM, Sravan Bhamidipati wrote:
> > What I mean is the following. Suppose an attack involves sending n
> packets. Suppose the alarm related to that attack is set to trigger when
> the IDS sees m packets within a time interval t. (I guess alarms for
> portscans are defined in such a way.)
> Thinking in terms of packets is usually the wrong approach with Bro, but I
> will take "packets" just to mean any arbitrary event that was seen.

What would be a right approach with Bro? Would it be thinking along the
lines of events? I can see that Bro core generates many different events,
 like those defined in event.bif. Are Bro users expected to write scripts
where some actions are taken based on the events seen (say their
combinations and counts)?

 Right now, Bro actually doesn't have any form of scan detection we ship
> with.  We have a script for detecting scanning in our contributed scripts
> repository which had very minimal porting from the 1.5 release of Bro but
> doesn't have a modern feel to it.  Scan detection was removed because it
> became really difficult when we moved to a clustered architecture because
> scan detection involves a global state but in a cluster you have lots of
> processes with partial state.

I am also using the scan.bro script right now.

We are actively working on adding probabilistic data structures to Bro now
> so that ultimately we will be able to keep longer periods of state without
> using too much memory. (that's the hope at least, no promises!)
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120719/e3826ef9/attachment.html 

More information about the Bro mailing list