[Bro] Bro behavioral analysis

James Lay jlay at slave-tothe-box.net
Wed Jul 29 05:59:53 PDT 2015

On Wed, 2015-07-29 at 14:08 +0200, Savakh S wrote:

> Can someone explain why Bro is said "behavioral" IDS  and give an
> example ? I understand Bro can perform protocol analysis, DPI, by its
> analyzers, but what about "behavioral" ?
> Thanks in advance.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Consider the below:


##! A script for handling URLs in SMTP traffic. This script does 
##! two things. It logs URLs discovered in SMTP traffic. It 
##! also records them in a bloomfilter and looks for them to be
##! visited through HTTP requests. 
##! Authors: Aashish Sharma <asharma at lbl.gov>
##! Seth Hall <seth at icir.org>

That may fit the bill as "behavioral".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150729/f207469f/attachment-0001.html 

More information about the Bro mailing list