[Bro] Bro programming intro
vladg at cmu.edu
Tue Mar 19 09:12:38 PDT 2013
From:Tritium Cat [tritium.cat at gmail.com]
> Simply buffering uids per Notice? seems much easier and less resource intensive than storing additional? samples.
It's also much less useful. If I get an e-mail with a list of UIDs, I have to go query my http log before I can determine what action to take. If I get samples, I can make that decision immediately.
I don't understand how tracking UIDs would be less resource intensive. Many SQL scanners I see attempt thousands of requests over separate UIDs. The way samples work is that you specify a number of samples per source IP. I believe the default is 5. I'd much rather have Bro maintain 5 samples per source instead of thousands of UIDs.
> Where is the limit with tracking too much state or using too many cycles within the "IDS" ?
One side note: Bro hasn't been labelled as an IDS for a while. Network Security Monitor strikes closer to what Bro has become.
> I am weary of inadvertently creating DoS conditions with a philosophy that may encompass every script I write in Bro.
A fair concern, and one I think I addressed above. I would note that I haven't had any such problems with the scripts that ship with Bro.
> I am still interested in a list of key papers on the internals if anyone has a few.
More information about the Bro