I'm a new learner of bro,so I haven't known it well.My question is that the policy script is used to decide what kind of behavior is intusion but what principle should i base on to judge? If the answer is that bro only provides a platform for the users to detect intrusion according to their own philosophy how does bro do that in its original policy scripts?
Thanks a lot for your answer!
I'm a new learner of bro,so I haven't known it well.My question is that the policy script is used to decide what kind of behavior is intusion but what principle should i base on to judge?
The characteristics that you decide to watch for may be extremely specific to your environment so scripts may not exist already that detect the activity that you are interested in. However, once you learn the language and techniques, it's typically easy to write a script or set of scripts to begin monitoring for the activity. Primarily, my recommendation (and what we do here) is to sit around and talk with colleagues for a while about what network activity is ok and what isn't. This will frequently bring up thoughts about previous incidents that have been encountered or even misconfigurations that are not compromises but which could be detected by watching network traffic. Once you have a list of tasks to accomplish and activity to begin detecting it will at least give you a direction to go and ideas for how to construct your scripts.
If the answer is that bro only provides a platform for the users to detect intrusion according to their own philosophy how does bro do that in its original policy scripts?
The shipped scripts do monitor for some activity such as network/port scanning and some possibly undesired application specific activity (irc, http, and ftp for example), but the scripts make no assumptions about what activity is undesired on your network. It's your job to define your local notice policy to indicate what's "bad" on your network. Robin has a post he wrote about how to use the notice framework in Bro to define what's "bad":
He also has some slides from the last workshop where he spoke about the notice framework (you'll have to dig through for the notice framework part):
I also distribute some scripts that watch for additional activity and raise some of their own notices (in addition to logging like crazy):
The most important thing though is that you have to learn the Bro scripting language well if you want to be able be really effective with Bro. You are *always* going to find some sort of activity that you want to watch for which no one has written a script, or that an analyzer doesn't yet exist to even parse the traffic you are most interested in.