[Bro] Bro programming intro

Vlad Grigorescu vladg at cmu.edu
Tue Mar 19 09:12:38 PDT 2013

From:Tritium Cat [tritium.cat at gmail.com]

> Simply buffering uids per Notice? seems much easier and less resource intensive than storing additional? samples.

It's also much less useful. If I get an e-mail with a list of UIDs, I have to go query my http log before I can determine what action to take. If I get samples, I can make that decision immediately.

I don't understand how tracking UIDs would be less resource intensive. Many SQL scanners I see attempt thousands of requests over separate UIDs. The way samples work is that you specify a number of samples per source IP. I believe the default is 5. I'd much rather have Bro maintain 5 samples per source instead of thousands of UIDs.

> Where is the limit with tracking too much state or using too many cycles within the "IDS" ?

One side note: Bro hasn't been labelled as an IDS for a while. Network Security Monitor strikes closer to what Bro has become.

>  I am weary of inadvertently creating DoS conditions with a philosophy that may encompass every script I write in Bro.

A fair concern, and one I think I addressed above. I would note that I haven't had any such problems with the scripts that ship with Bro.

> I am still interested in a list of key papers on the internals if anyone has a few.



More information about the Bro mailing list