Hello,
How can Bro be used to set a network profile and works as a behavior IDS ?
Does Bro need to understand L7 protocols ? Is it compulsory ? If not, what would be its capabilities ?
Thank for your answers.
Regards.
Bro has an understanding of many of the more popular layer 7 protocols and is able to generate logs based on what it sees.
One rather simple way to create a baseline for a network could be to monitor the network for a period of time and observe the logs Bro generates.
-AK
Hi Savakh,
The analyzer for specific protocols are included in src\analyzer\protocol of the source code repository . You may also take a look at Binpac (https://www.bro.org/sphinx/components/binpac/README.html). Most current application layer protocols based on TCP or UDP are added in Bro by using Binpac. With the help of Binpac, it is also easy to add new protocol analyzer in Bro.
Hope this helps.
Hugo