[Bro] Bro behavioral analysis
James Lay
jlay at slave-tothe-box.net
Wed Jul 29 05:59:53 PDT 2015
On Wed, 2015-07-29 at 14:08 +0200, Savakh S wrote:
> Can someone explain why Bro is said "behavioral" IDS and give an
> example ? I understand Bro can perform protocol analysis, DPI, by its
> analyzers, but what about "behavioral" ?
>
> Thanks in advance.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Consider the below:
https://github.com/bro/bro-scripts/blob/master/smtp-url.bro
##! A script for handling URLs in SMTP traffic. This script does
##! two things. It logs URLs discovered in SMTP traffic. It
##! also records them in a bloomfilter and looks for them to be
##! visited through HTTP requests.
##!
##! Authors: Aashish Sharma <asharma at lbl.gov>
##! Seth Hall <seth at icir.org>
That may fit the bill as "behavioral".
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150729/f207469f/attachment-0001.html
More information about the Bro
mailing list