Alarms based on abnormal traffic patterns

Hi,

Would you guys say that Bro implementing abnormal traffic analysis (ie deviation from a baseline) would be outside of Bro's scope? If not is anyone working on it?

I was envisaging a learning baseline, with a base unit of one hour, covering 24 hours, then day of week, 7 days, then day of month, then month of year. The actual baseline for each hour would be the averages of those. The input would be the traffic percentages ala what we get from Bro at the moment with a single user supplies input being deviation from that norm.

The reason that this has come up (other than being something that I've been thinking about for quite a while, not just traffic based) is that over the weekend our works website was hit with an unsolicited security scan gone wrong, it got itself into a loop and hit us with over 150,000 POSTs in a couple of hours until I got out of bed at 2:30 and put a fw rule in place.

Bro did not alarm on this, we were alerted by disk space issues from the logging, however the skew in normal traffic profiles was obvious to the eye.

Other ways to detect this would be to Alarm on too much traffic from a single IP (in this case), again a baseline and deviation would be required though to b truly usable and user friendly. But that wouldn't help with a DDoS which the more general traffic analysis would.

Cheers Ed.

Would you guys say that Bro implementing abnormal traffic analysis (ie
deviation from a baseline) would be outside of Bro's scope?

Outside of its scope in terms of what's been developed, yes. It could
be a reasonable framework though to use to implement such analysis.

HOWEVER: this sort of anomaly detection turns out to be much trickier
than it would appear. The problem is that non-attack traffic has enough
variation in it that often it's very hard to find a useful definition
of "abnormal" such that you can alarm on it without endlessly annoying
the operator who has to field the alarms. That said, sometimes one can
indeed find a sweet spot between normal behavior and problematic behavior.
But it's very tricky (and usually publishable research if you can develop
such a detector that works in multiple environments).

    Vern