[Bro] Tuning Bro

Clark, Gilbert gc355804 at ohio.edu
Thu Jul 19 12:24:17 PDT 2012

As a supplement, the materials from the most recent bro workshop might be a good way to get an overview of how bro works and what the scripting language is like.

Take a look at: http://bro-ids.org/bro-workshop-2011/index.html

Good luck,

From: Sravan Bhamidipati <bsravanin at gmail.com<mailto:bsravanin at gmail.com>>
Date: Thu, 19 Jul 2012 13:15:32 -0400
To: Seth Hall <seth at icir.org<mailto:seth at icir.org>>
Cc: "bro at bro-ids.org<mailto:bro at bro-ids.org>" <bro at bro-ids.org<mailto:bro at bro-ids.org>>
Subject: Re: [Bro] Tuning Bro

On Thu, Jul 19, 2012 at 8:58 AM, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

On Jul 19, 2012, at 1:07 AM, Sravan Bhamidipati wrote:

> What I mean is the following. Suppose an attack involves sending n packets. Suppose the alarm related to that attack is set to trigger when the IDS sees m packets within a time interval t. (I guess alarms for portscans are defined in such a way.)

Thinking in terms of packets is usually the wrong approach with Bro, but I will take "packets" just to mean any arbitrary event that was seen.

What would be a right approach with Bro? Would it be thinking along the lines of events? I can see that Bro core generates many different events,  like those defined in event.bif. Are Bro users expected to write scripts where some actions are taken based on the events seen (say their combinations and counts)?

 Right now, Bro actually doesn't have any form of scan detection we ship with.  We have a script for detecting scanning in our contributed scripts repository which had very minimal porting from the 1.5 release of Bro but doesn't have a modern feel to it.  Scan detection was removed because it became really difficult when we moved to a clustered architecture because scan detection involves a global state but in a cluster you have lots of processes with partial state.

I am also using the scan.bro script right now.

We are actively working on adding probabilistic data structures to Bro now so that ultimately we will be able to keep longer periods of state without using too much memory. (that's the hope at least, no promises!)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120719/56c44af3/attachment.html 

More information about the Bro mailing list