[Bro] Tuning Bro
bsravanin at gmail.com
Fri Jul 20 11:19:57 PDT 2012
Thank you, Gilbert. I found some of these materials very useful.
Changing constants defined in init-bare.bro didn't effect the detection
rate on my pcaps much. Because my problem was not with the detection rate
itself. It turned out to be that some of the notices (like those generated
by scan.bro, detect-bruteforcing.bro) are in a format different from the
default -- they don't contain the 4-tuple of source and destination IP
addresses and port numbers. So they were being missed by my analysis
scripts that compare notices with labels. Modifying those scripts for more
verbose notice generation is showing more positive results.
On Thu, Jul 19, 2012 at 3:24 PM, Clark, Gilbert <gc355804 at ohio.edu> wrote:
> As a supplement, the materials from the most recent bro workshop might be
> a good way to get an overview of how bro works and what the scripting
> language is like.
> Take a look at: http://bro-ids.org/bro-workshop-2011/index.html
> Good luck,
> From: Sravan Bhamidipati <bsravanin at gmail.com>
> Date: Thu, 19 Jul 2012 13:15:32 -0400
> To: Seth Hall <seth at icir.org>
> Cc: "bro at bro-ids.org" <bro at bro-ids.org>
> Subject: Re: [Bro] Tuning Bro
> On Thu, Jul 19, 2012 at 8:58 AM, Seth Hall <seth at icir.org> wrote:
>> On Jul 19, 2012, at 1:07 AM, Sravan Bhamidipati wrote:
>> > What I mean is the following. Suppose an attack involves sending n
>> packets. Suppose the alarm related to that attack is set to trigger when
>> the IDS sees m packets within a time interval t. (I guess alarms for
>> portscans are defined in such a way.)
>> Thinking in terms of packets is usually the wrong approach with Bro, but
>> I will take "packets" just to mean any arbitrary event that was seen.
> What would be a right approach with Bro? Would it be thinking along the
> lines of events? I can see that Bro core generates many different events,
> like those defined in event.bif. Are Bro users expected to write scripts
> where some actions are taken based on the events seen (say their
> combinations and counts)?
> Right now, Bro actually doesn't have any form of scan detection we ship
>> with. We have a script for detecting scanning in our contributed scripts
>> repository which had very minimal porting from the 1.5 release of Bro but
>> doesn't have a modern feel to it. Scan detection was removed because it
>> became really difficult when we moved to a clustered architecture because
>> scan detection involves a global state but in a cluster you have lots of
>> processes with partial state.
> I am also using the scan.bro script right now.
> We are actively working on adding probabilistic data structures to Bro now
>> so that ultimately we will be able to keep longer periods of state without
>> using too much memory. (that's the hope at least, no promises!)
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro