[Bro] Bro behavioral analysis

Michael Shirk shirkdog.bsd at gmail.com
Wed Jul 29 06:11:04 PDT 2015


On Jul 29, 2015 9:02 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:
>
> On Wed, 2015-07-29 at 14:08 +0200, Savakh S wrote:
>>
>> Can someone explain why Bro is said "behavioral" IDS  and give an
>> example ? I understand Bro can perform protocol analysis, DPI, by its
>> analyzers, but what about "behavioral" ?
>>
>> Thanks in advance.
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> Consider the below:
>
> https://github.com/bro/bro-scripts/blob/master/smtp-url.bro
>
> ##! A script for handling URLs in SMTP traffic. This script does
> ##! two things. It logs URLs discovered in SMTP traffic. It
> ##! also records them in a bloomfilter and looks for them to be
> ##! visited through HTTP requests.
> ##!
> ##! Authors: Aashish Sharma <asharma at lbl.gov>
> ##! Seth Hall <seth at icir.org>
>
> That may fit the bill as "behavioral".
>
> James

weird.log is the definition of "weird behavior". And these are examples of
what exists, as there may be test cases you develop based on traffic that
you see. Bro could handle and alert on abnormal behavior based on your
criteria.

--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150729/8a30fee3/attachment.html 


More information about the Bro mailing list