Would you guys say that Bro implementing abnormal traffic analysis (ie deviation from a baseline) would be outside of Bro's scope? If not is anyone working on it?
I was envisaging a learning baseline, with a base unit of one hour, covering 24 hours, then day of week, 7 days, then day of month, then month of year. The actual baseline for each hour would be the averages of those. The input would be the traffic percentages ala what we get from Bro at the moment with a single user supplies input being deviation from that norm.
The reason that this has come up (other than being something that I've been thinking about for quite a while, not just traffic based) is that over the weekend our works website was hit with an unsolicited security scan gone wrong, it got itself into a loop and hit us with over 150,000 POSTs in a couple of hours until I got out of bed at 2:30 and put a fw rule in place.
Bro did not alarm on this, we were alerted by disk space issues from the logging, however the skew in normal traffic profiles was obvious to the eye.
Other ways to detect this would be to Alarm on too much traffic from a single IP (in this case), again a baseline and deviation would be required though to b truly usable and user friendly. But that wouldn't help with a DDoS which the more general traffic analysis would.