Experiences Learned from Bro

Vern Paxson

Experiences Learned from Bro

Abstract:

Bro is a system for detecting network intruders in realtime by passively monitoring a network link. Its design emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an "event engine" that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a "policy script interpreter" that interprets event handlers written in a specialized language used to express a site's security policy. Bro has been in production use since early 1996. We discuss the structure of the system and the lessons learned from our experiences, with an emphasis on some of the key challenges for future intrusion detection systems.

Vern Paxson, Network Research Group, Lawrence Berkeley National Labs

BibTeX

@inproceedings {271733,
author = {Vern Paxson},
title = {Experiences Learned from Bro},
booktitle = {1st Workshop on Intrusion Detection and Network Monitoring (ID 99)},
year = {1999},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/id-99/experiences-learned-bro},
publisher = {USENIX Association},
month = apr
}

Download

connect with us

twitter

usenix conference policies

Experiences Learned from Bro

Vern Paxson, Network Research Group, Lawrence Berkeley National Labs

connect with us

twitter

usenix conference policies

You are here

connect with us

Experiences Learned from Bro

Vern Paxson, Network Research Group, Lawrence Berkeley National Labs