Bro can be classified as a protocol-analysis NIDS, right ?
I know it does signature/pattern matching too but
it does lot of protocol analysis too, right ?So is it correct to classify bro more like a protocol
analysis ids rather than sig-based ?it would be GREAT if anyone could drop a quick reply/comment..
The way the Bro paper describes it, Bro is "activity-based" as opposed to
signature-based. It certainly does emphasize detailed protocol analysis.
What I've meant by activity-based is similar to what is recently emerging
in the literature (by others) as "specification-based" intrusion detection,
and that's I think a better term.
So probably the best way to describe it is something like "a specification-
based NIDS that emphasizes detailed protocol analysis, though also capable
of signature-based detection".
Vern