[Bro] Bro as an Anomaly Detector.
Sheharbano Khattak
sheharbano.k at gmail.com
Mon Aug 5 12:43:24 PDT 2013
Dear Anil,
Bro is more a network monitor than an anomaly detector. If you wish
to write an anomaly detector, Bro's domain scripting language will greatly
simplify network analysis for you. I believe Bro doesn't have the more
involved
machine learning style anomaly detection* at the moment. However, there are
some scripts for detection of SSH brute forcing, SQL injection attacks and
malicious network scan that rely on deviation from a threshold. You will
find these scripts in the directory /usr/local/bro/share/bro/scripts/policy
(you might
need to adjust the path depending on where you installed Bro on your
machine).
There is a new framework SumStats** (Bro frameworks are similar to what we
call
libraries in most other languages--they facilitate tasks which would be
otherwise
rather tedious to perform) that simplifies the overall task of performing
measurements
over network data. Hope this helps.
* You might be interested in looking at the paper [www.icir.org/*robin*
/papers/oakland10-ml.pdf] to know why.
**http://trac.bro-ids.org/sphinx-git/_downloads/main16.bro
Regards.
--
Sheharbano Khattak
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130806/52443d6f/attachment.html
More information about the Bro
mailing list