We all know snort, at least heard of it.
One guy in ILUGC runs his life on snort alarms coming to his bank network.
Intrusion detection is all about alerting or getting alerted or logging packets.
Usually attacks come from the Internet and they target vulnerabilities or
easy passwords or just try a denial of service or port scans.
It is not so easy to spot attacks but with intrusion detection software it is
possible with some effort.
snort is the industry standard, it is open source, but it is a signature
based system and some of the signatures are not free.
Bro is another software that does the same thing but in a completely different
way.
Bro is more of an anomaly detector as opposed to a packet signature matcher.
It therefore looks for events and bro comes pre built with 1000s of scripts
in its own programming language which I am trying to learn but it is somewhat
hard.
Bro can also understand netflow and it has several pluggable modules.
Bro can be made to log packet decodes as well as execute functions
thereby making it an intrusion prevention software as well.
I am now doing a project involving bro and though I lack practical knowledge
of using it I am sure a lot of you do not know beyond snort and IDS.
So I thought I could introduce bro.
I am sure it is better than snort in a lot of ways.
It is highly customizable and is also quite old being a research project
from USA.
Snort is from Israel.
Anyway since I will get paid only after I do my project using bro I will surely
have to learn it.
Bro is a highly configurable intrusion detection tool that can be used not
just for this purpose but also for several things with its scripts.
-Girish
--
Gayatri Hitech
http://gayatri-hitech.com
