announcing Bro
From: Vern Paxson (vern@icir.org)
Date: 11/18/02
- Previous message: oobs3c02@attbi.com: "IDS using Taps & network bridging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ids@securityfocus.com Date: Sun, 17 Nov 2002 22:37:15 -0800 From: Vern Paxson <vern@icir.org>
Bro is a high-performance network intrusion detection system. It is built
around a policy-neutral "event engine" that pieces network packets into
events that reflect different types of activity. Some events are quite
low-level, such as the monitor seeing a connection attempt; some are specific
to a particular network protocol, such as an HTTP request or reply; and
some reflect high-level notions, such as a user having successfully
authenticated during a login session.
Bro runs the events produced by the event engine through a user-specified
"policy script" written in a high-level, customized language geared towards
network analysis in general and security analysis in particular. The
policy scripts can maintain and update global state information, write
arbitrary information to disk files, generate new events, call functions
(either user-defined or predefined), generate alerts that produce syslog
messages, or invoke arbitrary shell commands.
Bro is now publicly available in source code form under a BSD-like license,
with a (modest) home page at:
http://www.icir.org/vern/bro.html
You can get the "stable" 0.7 release from:
ftp://ftp.ee.lbl.gov/bro-pub-0.7-stable.tar.gz
or the "current" release (with considerably more features, including a
signature engine that can read Snort rules, but unfortunately is not yet
documented) from:
ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz
Fairly, but not fully, complete documentation is available from:
http://www.icir.org/vern/bro-manual/index.html
(split up into many files for quick browsing)
http://www.icir.org/vern/bro-manual/entire.html
(a single monolithic file, good for searching)
http://www.icir.org/vern/bro-manual/manual.ps
(Postscript, good for printing)
There's a Bro mailing list, too, bro@lbl.gov. To get on it, send a message
to majordomo@listserv.lbl.gov with "subscribe bro" in the *body*.
Vern
Vern Paxson
ICSI Center for Internet Research (ICIR)
and Lawrence Berkeley National Laboratory
vern@icir.org, vern@ee.lbl.gov
- Next message: buzzdee: "Re: how to build an inline ids?"
- Previous message: oobs3c02@attbi.com: "IDS using Taps & network bridging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
