[Bro] Bro as an Anomaly Detector.

Sheharbano Khattak sheharbano.k at gmail.com
Mon Aug 5 12:43:24 PDT 2013

Dear Anil,

Bro is more a network monitor than an anomaly detector. If you wish
to write an anomaly detector, Bro's domain scripting language will greatly
simplify network analysis for you. I believe Bro doesn't have the more
machine learning style anomaly detection* at the moment. However, there are
some scripts for detection of SSH brute forcing, SQL injection attacks and
malicious network scan that rely on deviation from a threshold. You will
find these scripts in the directory /usr/local/bro/share/bro/scripts/policy
(you might
need to adjust the path depending on where you installed Bro on your
There is a new framework SumStats**  (Bro frameworks are similar to what we
libraries in most other languages--they facilitate tasks which would be
rather tedious to perform) that simplifies the overall task of performing
over network data. Hope this helps.

* You might be interested in looking at the paper [www.icir.org/*robin*
/papers/oakland10-ml.pdf] to know why.


Sheharbano Khattak

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130806/52443d6f/attachment.html 

More information about the Bro mailing list