On slide 11 of this presentation: https://www.bro.org/bro-workshop-2011/slides/network-forensics.pdf
There is a Use Case for Insider Abuse, I am interested in this and am a beginner to Bro IDS scripting. Is there any existing script dealing with some form of Insider Abuse that I can use as an example?
"Insider Abuse" is a very wide topic. Is there something a little more specific that you're looking to do?
There is a Use Case for Insider Abuse, I am interested in this and am a
beginner to Bro IDS scripting. Is there any existing script dealing with
some form of Insider Abuse that I can use as an example?
Rather than having a script for one particular instance of insider
abuse, I wanted to highlight overall approach towards in this talk. What
makes insider abuse hard to detect, is that often each individual action
in isolation is legit, but only constitute a policy violation when
analyzed in sequence. The challenge lies in analyzing chains of actions.
Doing so live (i.e., while analyzing traffic in real time) may not be
feasible because such actions often manifest over longer time periods.
Therefore, detection angles often rely on summaries of past activity,
such as behavior profiles. But this goes quickly into distilling
patterns of normality and then flagging deviations (with all its
That said, I'm sure there are simpler, concrete instances of insider
abuse which can be readily coded up in Bro. It all depends on the policy
of your site and the assets you're trying to protect.