I am doing my research work in Intrusion Detection System. I read a paper about abnormal detection technique by CS Columbia University. An clustering algorithm is applied to cassify the normal and abnormal connections. Connections has higher level than packets which is used in snort, so connection can have less data size and more infomation.
The author said Bro is modified to generate the 41 features, I would preciated if someone is kind enough to give me some hints how to do this. I am sure a event analyser and handler sould added to Bro, but where, how and when to invoke the event handler.