[Bro] Bro Anomaly Detection
Slagell, Adam J
slagell at illinois.edu
Tue Feb 18 07:49:03 PST 2014
Bro doesn't fit well into either the anomaly-based or signature based paradigm and is often referred to as a specification-based IDS. However, it is probably best understood as more than an IDS, as a network analysis framework that combines a powerful state engine with a full computer language aimed at network analysis.
So to answer your question, there are not separate "modules". There are a set of scripts  that come with Bro, and the ability to customize and add to these. If you are interested in doing signature-based detection, look at .
I hope this helps to get you started.
On Feb 18, 2014, at 7:10 AM, Mr Smith <engineer.demo2020 at gmail.com<mailto:engineer.demo2020 at gmail.com>> wrote:
Hi, I have two questions regarding the Bro anomaly detection capability.
1.How does the Bro detect anomalies? Using writing rules(anomaly rules) or using a separate module ?
2.Is it possible to run the signature-based and anomaly-based parts of Bro separately?
I mean, can the Bro be used only for the detection of anomalies.If it is possible, how?
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
Adam J. Slagell
Chief Information Security Officer
Assistant Director, Cybersecurity
National Center for Supercomputing ApplicationsUniversity of Illinois at Urbana-Champaign
"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro