Bro as an Anomaly Detector.

Dear Anil,

Bro is more a network monitor than an anomaly detector. If you wish
to write an anomaly detector, Bro’s domain scripting language will greatly

simplify network analysis for you. I believe Bro doesn’t have the more involved
machine learning style anomaly detection* at the moment. However, there are

some scripts for detection of SSH brute forcing, SQL injection attacks and

malicious network scan that rely on deviation from a threshold. You will
find these scripts in the directory /usr/local/bro/share/bro/scripts/policy (you might

need to adjust the path depending on where you installed Bro on your machine).

There is a new framework SumStats** (Bro frameworks are similar to what we call
libraries in most other languages–they facilitate tasks which would be otherwise
rather tedious to perform) that simplifies the overall task of performing measurements
over network data. Hope this helps.

  • You might be interested in looking at the paper [] to know why.