Bro IDS anomaly detection

Dear All.

I am working in the area of Anomaly detection. I am interested in understanding the existing mechanism implemented in BRO.

Please refer me some useful material and/or research papers, especialy how it is different than SNORT.


Actually there is a lot of work in the literature on anomaly detection using snort but in bro there is no or less work…whether the existing bro scripts are enough for network intrusion detection…where u think enhancements can be made? A sans document on finding web application attack using bro scripting…what do u think if bro logs are used for anomaly detection… Any work already done in this direction?