[Bro] flow-level analysis code
Anton Chuvakin, Ph.D.
anton at netForensics.com
Fri Dec 17 12:16:27 PST 2004
>> I am very interested, but it seems that it is somewhat outside the scope
>> of Bro as a classic NIDS. Reading netflow will make no sense (for Bro)
>> since there is no packet contents.
> Actually, I think it does make sense. Bro can do a fair amount of analysis
> based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
> packet contents. For example, its scan detection is driven off of this
> level of information.
But where you will take it beyond scans?
Maybe automatic 'stepping stone' detection based on flows? Or flow
profiling (for backdoors and trojans with new prots)? It looks like it
will be a very different product as a result.
Also, in this case we will see neither contents nor the header, just the
fact that seesion took place.
Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH
Author of "Security Warrior" from O'Reilly - http://www.securitywarrior.com
Security Strategist
Product Management Group
netForensics - http://www.netForensics.com
**************************************************************************************************
The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to anyone or make copies.
** netForensics has scanned this email for viruses, vandals and malicious content. **
**************************************************************************************************
More information about the Bro
mailing list