Recently, I have really been fascinated by the elegance of bro, and I have read some source codes of bro. Now I do want to add something to make bro stronger. With the increasing attention paid to anomaly detection, I would like to implement a specification based anomaly detection in bro. One of my available ideas is to implement protocol specification by means of protocol state machine. I do wonder how to accomplish that in bro. Is here anyone that has any idea or has done something similar before?
What could really be used is a multi-thread manager. We’re running into issues with “best practices” due to the single threading of the mgr and HW limits in our cluster.