I have a question about the Bro’s capabilities.
Could you please detail how Bro works ? I know Bro has “protocol analysis” capabilities for some protocols and is a “behavior-based” IDS.
If I understand well, Bro can learn the way a network is used (like a machine learning) and then dissect all the protocols he can parse (http, ftp, …) to see if the fields’ values of these procoles were recorded at the learning phase ?
Thanks for your answers.