- i'm not quite sure about the future plans of bro. will there be
a lot of big changes from now to the release of 1.0? incompatibilities?
We don't have a precise roadmap, but of the anticipated changes, I don't
think any upcoming ones would be viewed as "big" for most Bro users. There
also will be some incompatibilities, but likewise I don't imagine these
will be viewed as major by most Bro users.
- there exists a detection method which is based on the entropy of
ip headers (tuple: src, dst, src_port, dst_port). the algorithm stores
this table of tuples every minute in a file and compresses it using
the LZO-compression-algorithm. then the size of the file is an indicator
for network anomalies.
(Hmmmm, that seems a lot more coarse-grained than something like Bro's
TRW detector ....)
now my question: how can i best implement this with bro? how can i use
the lzo-algorithm (which is available in C, java, perl...) to compress
my file every minute and get back the resulting file size?
If you really want to do that, the natural way would be to add it as a
built-in function (see src/bro.bif for how these are defined). Ideally,
the function would compute it in an incremental fashion, so the result can
be updated a piece at a time in real-time. Computing it in a batch every
minute or so, with a corresponding large CPU burst required, is not in
keeping with real-time analysis & detection.