[Bro] 1)Bro binary 2)Bro position in IDSs models
Christian Kreibich
christian at whoop.org
Tue Sep 13 11:32:29 PDT 2005
On Mon, 2005-09-12 at 17:01 -0700, nuno romano wrote:
> 1)
>
> I got a bro binary of the 0.9 version,approximately
> 22 Megabytes.I compiled in Debian3.1,PowerPC,with a
> straightforward ./configure make.All seemed normal
> during the compilation.At first sight it seems a
> working
> binary.So,do I have a statically linked binary,with
> the
> overweight of the statically linked libraries?
That sounds awfully big. Can you post the output of your configure run,
please?
> 2)
>
> In a paper(2003) called "The Intelligent IDS:The
> Next Generation of Intrusion Detection Management
> Revealed" Andre Yee of NFR Security Inc. positioned
> the ISS and NFR IDSs high,in both detection models:
> Protocol Anomaly Detection and Pattern Matching
> (a logical assumption in its position.).How do
> the Bro IDS position in these models?For Bro
> users who have a general knowledge about ISS and
> NFR IDSs.
The short answer is "Bro can do both." Its model is more general than
any single category -- remote or local Bro nodes feed events into policy
scripts that are provided in the distribution and adapted to your needs,
or implemented from scratch by you. By configuring the handling of these
events accordingly, you can realize pretty much any network-based
intrusion detection model. The range of events provided gives you all
the building blocks needed for both protocol anomaly detection and
pattern matching.
Please refer to the website & the manuals for more information.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list