1. I see the introduction in bro overview: Bro targets high-speed
(Gbps). I am surprised and doubt it.
These issues are discussed at length in the original Bro paper and also
H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, Operational
Experiences with High-Volume Network Intrusion Detection, Proc.
ACM CCS, October 2004.
available at http://www.bro-ids.org/publications.html.
2. I konw bro supports to define signature in regular expression.I
want to konw how does bro support
regular expressions: by perl or do it yourself.
It has its own implementation, which is essentially the same as the one
used by the "flex" utility (freeware replacement for lex, which I wrote a
long time ago).
3. Is there realtime alarm function in bro?
Yes. This is a basic question that is also answered in the Bro paper,
as well as in the documentation available from bro-ids.org.
Vern