Hi,
I am a grad student trying to get acquainted with Bro. I have tried using it on a few datasets available (including the old DARPA ones). I am able to get logs and notices and weirds, but I have doubts about Bro configuration:
-
How do the IP ranges specified in Site::local_nets and networks.cfg affect Bro’s monitoring? Do they have different use cases, or can they be used interchangeably? Or do they have nothing to do with each other? (As of now, my Site::local_nets and networks.cfg are identical.)
-
From my layman’s understanding, given a PCAP, the larger the window of time and the number of packets that a system looks at the more accurate its detection could be, the tradeoff being that of memory/performance. (I guess there won’t be any packet dropping when reading PCAPs.) Is that true?
-
For someone who doesn’t know much about the Bro language, are there any generic configuration settings or tunables that might improve detection rates? Like the maximum size up to which a packet is read, or the number of packets that Bro simultaneously analyzes. (Snort has some parameters along these lines.)
-
How does Bro handle packet defragmentation and stream reassembly? Is there documentation for the internals, about the various components and analyzers and how they analyze traffic? I am looking for a basic understanding.
Thank you.
Regards,
Sravan