[Bro] Creating anomaly detection IDPS

Brian Wylie briford.wylie at gmail.com
Wed May 24 14:42:18 PDT 2017

There are several plugins https://github.com/bro/bro-plugins where you can
move/process the Bro data. If you like Python/Pandas/Scikit-Learn you might
try the Python BroThon package (https://github.com/Kitware/BroThon)  which
I started working on... we're working on anomaly detection using
scikit-learn i-forests and some other stuff with it...

If you want to use Bro Scripts there might be some examples here to start
playing around with:
- https://github.com/phirelight/bro-scripts
- https://github.com/sooshie/bro-scripts
- https://github.com/bro/bro-scripts

On Wed, May 24, 2017 at 2:32 PM, Miller, Brad L <BLMILLER at comerica.com>

> My take is that while Bro has the intel framework and bro scripts to
> classify and alert on traffic, the real anomaly detection/heavy lifting
> should be done where the bro data is stored.  We use Bro as a (big) data
> source for analytics and discovery.
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *fatema
> bannatwala
> *Sent:* Wednesday, May 24, 2017 4:22 PM
> *To:* daniel_aka_sniper_d at hotmail.com
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] Creating anomaly detection IDPS
> Hi Dan,
> There are various ways one can use to detect anomaly using Bro based on
> the network traffic.
> Use of Intel FW and Scan scripts with Bro gives a start to detect
> different types of scanning and other suspicious activity going on in the
> network.
> Not sure what's exactly your use-case is regarding NSL-KDD training sets
> with Bro.
> Are you trying to use Bro generated network data as the test set for your
> classifiers/learning algos?, or trying to feed Bro with the NSL-KDD
> training sets? I don't think machine learning is currently being supported
> by Bro.
> Or I might have mis-understood the question :)
> -Fatema.
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ”Contact Us” forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170524/e5c96208/attachment-0001.html 

More information about the Bro mailing list