[Bro] Creating anomaly detection IDPS
briford.wylie at gmail.com
Wed May 24 14:42:18 PDT 2017
There are several plugins https://github.com/bro/bro-plugins where you can
move/process the Bro data. If you like Python/Pandas/Scikit-Learn you might
try the Python BroThon package (https://github.com/Kitware/BroThon) which
I started working on... we're working on anomaly detection using
scikit-learn i-forests and some other stuff with it...
If you want to use Bro Scripts there might be some examples here to start
playing around with:
On Wed, May 24, 2017 at 2:32 PM, Miller, Brad L <BLMILLER at comerica.com>
> My take is that while Bro has the intel framework and bro scripts to
> classify and alert on traffic, the real anomaly detection/heavy lifting
> should be done where the bro data is stored. We use Bro as a (big) data
> source for analytics and discovery.
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *fatema
> *Sent:* Wednesday, May 24, 2017 4:22 PM
> *To:* daniel_aka_sniper_d at hotmail.com
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] Creating anomaly detection IDPS
> Hi Dan,
> There are various ways one can use to detect anomaly using Bro based on
> the network traffic.
> Use of Intel FW and Scan scripts with Bro gives a start to detect
> different types of scanning and other suspicious activity going on in the
> Not sure what's exactly your use-case is regarding NSL-KDD training sets
> with Bro.
> Are you trying to use Bro generated network data as the test set for your
> classifiers/learning algos?, or trying to feed Bro with the NSL-KDD
> training sets? I don't think machine learning is currently being supported
> by Bro.
> Or I might have mis-understood the question :)
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ”Contact Us” forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro