[Bro] Bro Anomaly Detection

[Slagell, Adam J]

Bro doesn't fit well into either the anomaly-based or signature based paradigm and is often referred to as a specification-based IDS. However, it is probably best understood as more than an IDS, as a network analysis framework that combines a powerful state engine with a full computer language aimed at network analysis.

So to answer your question, there are not separate "modules". There are a set of scripts [1] that come with Bro, and the ability to customize and add to these. If you are interested in doing signature-based detection, look at [2].

I hope this helps to get you started.

:Adam Slagell


[1] http://www.bro.org/sphinx/scripts/index.html
[2] http://www.bro.org/sphinx/frameworks/signatures.html

On Feb 18, 2014, at 7:10 AM, Mr Smith <engineer.demo2020 at gmail.com<mailto:engineer.demo2020 at gmail.com>> wrote:

Hi, I have two questions regarding the Bro anomaly detection capability.
1.How does the Bro detect anomalies? Using writing rules(anomaly rules) or using a separate module ?
2.Is it possible to run the signature-based and anomaly-based parts of Bro separately?
I mean, can the Bro be used only for the detection of anomalies.If it is possible, how?
Thanks
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

------

Adam J. Slagell
Chief Information Security Officer
Assistant Director, Cybersecurity
National Center for Supercomputing ApplicationsUniversity of Illinois at Urbana-Champaign
www.ncsa.illinois.edu/~slagell/<http://www.ncsa.illinois.edu/~slagell/>

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140218/8b488421/attachment.html