Hi everybody,
I will give a scenario let me know is it possible using Bro ids or not.
If there is a traffic of tcp,udp,icmp,https,smtp and dns, 80%,50%,30%,70%,80% and 60% respectively during working days(mon-fri)(from 10am-6pm) which we can say is a normal traffic. and if these traffic differs with 10% below or above for each protocol. then alarm should be triggered, similarly with (off hours 7pm to 9am) if we see same amount of traffic, alarm should be triggered. Is it possible with Bro to make this type of scenario detectable.
Hi everybody,
I will give a scenario let me know is it possible using Bro ids or not.
If there is a traffic of tcp,udp,icmp,https,smtp and dns, 80%,50%,30%,70%,80% and 60% respectively during working days(mon-fri)(from 10am-6pm) which we can say is a normal traffic. and if these traffic differs with 10% below or above for each protocol. then alarm should be triggered, similarly with (off hours 7pm to 9am) if we see same amount of traffic, alarm should be triggered. Is it possible with Bro to make this type of scenario detectable.
–manmeet singh