i'm currently working on my masterthesis here at the swiss federal institute of technology in zurich.
it's about "scan detection based identification of worm-infected hosts"
in small LANs.
now, i'm evaluating bro and try to use it for my purposes.
i'm currently using bro 0.9a7 on a linux pc and i'm trying to implement
some existing scan detection approaches.
here my questions:
- i'm not quite sure about the future plans of bro. will there be
a lot of big changes from now to the release of 1.0? incompatibilities?
- there exists a detection method which is based on the entropy of
ip headers (tuple: src, dst, src_port, dst_port). the algorithm stores this table of tuples every minute in a file and compresses it using
the LZO-compression-algorithm. then the size of the file is an indicator
for network anomalies.
now my question: how can i best implement this with bro? how can i use
the lzo-algorithm (which is available in C, java, perl...) to compress
my file every minute and get back the resulting file size?