[Bro] Bro behavioral analysis
Michael Shirk
shirkdog.bsd at gmail.com
Wed Jul 29 06:11:04 PDT 2015
On Jul 29, 2015 9:02 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:
>
> On Wed, 2015-07-29 at 14:08 +0200, Savakh S wrote:
>>
>> Can someone explain why Bro is said "behavioral" IDS and give an
>> example ? I understand Bro can perform protocol analysis, DPI, by its
>> analyzers, but what about "behavioral" ?
>>
>> Thanks in advance.
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> Consider the below:
>
> https://github.com/bro/bro-scripts/blob/master/smtp-url.bro
>
> ##! A script for handling URLs in SMTP traffic. This script does
> ##! two things. It logs URLs discovered in SMTP traffic. It
> ##! also records them in a bloomfilter and looks for them to be
> ##! visited through HTTP requests.
> ##!
> ##! Authors: Aashish Sharma <asharma at lbl.gov>
> ##! Seth Hall <seth at icir.org>
>
> That may fit the bill as "behavioral".
>
> James
weird.log is the definition of "weird behavior". And these are examples of
what exists, as there may be test cases you develop based on traffic that
you see. Bro could handle and alert on abnormal behavior based on your
criteria.
--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150729/8a30fee3/attachment.html
More information about the Bro
mailing list