Bro Anomaly Detection

Mr_Smith · February 18, 2014, 1:10pm

Hi, I have two questions regarding the Bro anomaly detection capability.
1.How does the Bro detect anomalies? Using writing rules(anomaly rules) or using a separate module ?
2.Is it possible to run the signature-based and anomaly-based parts of Bro separately?
I mean, can the Bro be used only for the detection of anomalies.If it is possible, how?

Thanks

Slagell_Adam_J · February 18, 2014, 3:49pm

Bro doesn’t fit well into either the anomaly-based or signature based paradigm and is often referred to as a specification-based IDS. However, it is probably best understood as more than an IDS, as a network analysis framework that combines a powerful state engine with a full computer language aimed at network analysis.

So to answer your question, there are not separate “modules”. There are a set of scripts [1] that come with Bro, and the ability to customize and add to these. If you are interested in doing signature-based detection, look at [2].

I hope this helps to get you started.

:Adam Slagell

[1] http://www.bro.org/sphinx/scripts/index.html
[2] http://www.bro.org/sphinx/frameworks/signatures.html

Topic		Replies	Views
Bro Anomaly Detection Zeek	3	102	May 6, 2022
Bro: a question regarding type Zeek	1	63	May 6, 2022
need help on bro Zeek	3	57	May 6, 2022
Bro as an Anomaly Detector. Zeek	1	47	May 6, 2022
Anomaly-based intrusion detection in Zeek Development development	1	268	May 6, 2022

Bro Anomaly Detection

Related Topics