Bro Anomaly Detection

Zeek
1

Hi, I have two questions regarding the Bro anomaly detection capability.
1.How does the Bro detect anomalies? Using writing rules(anomaly rules) or using a separate module ?
2.Is it possible to run the signature-based and anomaly-based parts of Bro separately?
I mean, can the Bro be used only for the detection of anomalies.If it is possible, how?

Thanks

2

Hi, I have two questions regarding the Bro anomaly detection capability.
1.How does the Bro detect anomalies? Using writing rules(anomaly rules) or using a separate module ?
2.Is it possible to run the signature-based and anomaly-based parts of Bro separately?
I mean, can the Bro be used only for the detection of anomalies.If it is possible, how?

Thanks

3

Technically, many of Bro’s protocol identification capabilities (use by Bro’s anomaly detection capabilities) utilize Bro’s signature framework.