[Bro] Bro as an Anomaly Detector.
sheharbano.k at gmail.com
Mon Aug 5 12:43:24 PDT 2013
Bro is more a network monitor than an anomaly detector. If you wish
to write an anomaly detector, Bro's domain scripting language will greatly
simplify network analysis for you. I believe Bro doesn't have the more
machine learning style anomaly detection* at the moment. However, there are
some scripts for detection of SSH brute forcing, SQL injection attacks and
malicious network scan that rely on deviation from a threshold. You will
find these scripts in the directory /usr/local/bro/share/bro/scripts/policy
need to adjust the path depending on where you installed Bro on your
There is a new framework SumStats** (Bro frameworks are similar to what we
libraries in most other languages--they facilitate tasks which would be
rather tedious to perform) that simplifies the overall task of performing
over network data. Hope this helps.
* You might be interested in looking at the paper [www.icir.org/*robin*
/papers/oakland10-ml.pdf] to know why.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro