Can someone explain why Bro is said "behavioral" IDS and give an
example ? I understand Bro can perform protocol analysis, DPI, by its
analyzers, but what about "behavioral" ?
Thanks in advance.
Can someone explain why Bro is said "behavioral" IDS and give an
example ? I understand Bro can perform protocol analysis, DPI, by its
analyzers, but what about "behavioral" ?
Thanks in advance.
Can someone explain why Bro is said "behavioral" IDS and give an example ? I understand Bro can perform protocol analysis, DPI, by its analyzers, but what about "behavioral" ? Thanks in advance. _______________________________________________ Bro mailing list [bro@bro-ids.org](mailto:bro@bro-ids.org) [http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro](http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro)
Consider the below:
https://github.com/bro/bro-scripts/blob/master/smtp-url.bro
##! A script for handling URLs in SMTP traffic. This script does
##! two things. It logs URLs discovered in SMTP traffic. It
##! also records them in a bloomfilter and looks for them to be
##! visited through HTTP requests.
##!
##! Authors: Aashish Sharma asharma@lbl.gov
##! Seth Hall seth@icir.org |
- |
That may fit the bill as “behavioral”.
James
weird.log is the definition of “weird behavior”. And these are examples of what exists, as there may be test cases you develop based on traffic that you see. Bro could handle and alert on abnormal behavior based on your criteria.
Here is another example from Bro’s shellshock detector (emphasis is mine):
“…It’s more comprehensive than most of the detections around in that it’s watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability.”
Read more here: https://github.com/broala/bro-shellshock
Thanks.
MP