Bro behavioral analysis

Can someone explain why Bro is said "behavioral" IDS and give an
example ? I understand Bro can perform protocol analysis, DPI, by its
analyzers, but what about "behavioral" ?

Thanks in advance.

Can someone explain why Bro is said "behavioral" IDS  and give an
example ? I understand Bro can perform protocol analysis, DPI, by its
analyzers, but what about "behavioral" ?

Thanks in advance.
_______________________________________________
Bro mailing list
[bro@bro-ids.org](mailto:bro@bro-ids.org)
[http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro](http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro)

Consider the below:

https://github.com/bro/bro-scripts/blob/master/smtp-url.bro

##! A script for handling URLs in SMTP traffic. This script does

##! two things. It logs URLs discovered in SMTP traffic. It

##! also records them in a bloomfilter and looks for them to be

##! visited through HTTP requests.

##!

##! Authors: Aashish Sharma asharma@lbl.gov

##! Seth Hall seth@icir.org

That may fit the bill as “behavioral”.

James

weird.log is the definition of “weird behavior”. And these are examples of what exists, as there may be test cases you develop based on traffic that you see. Bro could handle and alert on abnormal behavior based on your criteria.

Here is another example from Bro’s shellshock detector (emphasis is mine):

“…It’s more comprehensive than most of the detections around in that it’s watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability.”

Read more here: https://github.com/broala/bro-shellshock

Thanks.
MP