[Bro] Tuning Bro

[Seth Hall]

On Jul 19, 2012, at 1:07 AM, Sravan Bhamidipati wrote:

> What I mean is the following. Suppose an attack involves sending n packets. Suppose the alarm related to that attack is set to trigger when the IDS sees m packets within a time interval t. (I guess alarms for portscans are defined in such a way.)

Thinking in terms of packets is usually the wrong approach with Bro, but I will take "packets" just to mean any arbitrary event that was seen.  Right now, Bro actually doesn't have any form of scan detection we ship with.  We have a script for detecting scanning in our contributed scripts repository which had very minimal porting from the 1.5 release of Bro but doesn't have a modern feel to it.  Scan detection was removed because it became really difficult when we moved to a clustered architecture because scan detection involves a global state but in a cluster you have lots of processes with partial state.

We are actively working on adding probabilistic data structures to Bro now so that ultimately we will be able to keep longer periods of state without using too much memory. (that's the hope at least, no promises!)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/