Bro Anomaly Detection

Hi, I have two questions regarding the Bro anomaly detection capability.
1.How does the Bro detect anomalies? Using writing rules(anomaly rules) or using a separate module ?
2.Is it possible to run the signature-based and anomaly-based parts of Bro separately?
I mean, can the Bro be used only for the detection of anomalies.If it is possible, how?

Thanks

Bro doesn’t fit well into either the anomaly-based or signature based paradigm and is often referred to as a specification-based IDS. However, it is probably best understood as more than an IDS, as a network analysis framework that combines a powerful state engine with a full computer language aimed at network analysis.

So to answer your question, there are not separate “modules”. There are a set of scripts [1] that come with Bro, and the ability to customize and add to these. If you are interested in doing signature-based detection, look at [2].

I hope this helps to get you started.

:Adam Slagell

[1] http://www.bro.org/sphinx/scripts/index.html
[2] http://www.bro.org/sphinx/frameworks/signatures.html