Monday, May 22, 2006

Bro-IDS - Be Loved

During my off day, I take my time to read about another interesting Open Source Network Intrusion Detection System - Bro-IDS. Beside Snort, I think it is another Open Source NIDS with riches of protocol analyzers and cool features.

I'm reading almost all the papers that published by Bro-IDS community which you can find here. I'm pretty enjoyed when reading the papers regarding Dynamic Application Layer Protocol Analysis For Network Intrusion Detection and Building a Time Machine for Efficient Recording and Retrieval of High-Volume Netowrk Traffic. The first one outlines the problem of static port based protocol decoding such as using http analyzer when traffic flowing through port 80 and what if the http traffic that flowing through other port instead of standard well-known port or maybe non-http traffics that tunneling through port 80. Bro-IDS implements the protocol identification analyzer[PIA] to solve the problem. The second paper emphasizes on the important of collecting full content data in high speed network and providing workaround of storage issue with various methods such as traffic prioritizing, cutoff, classification, bpf filter and etc. In NSM approach, full content data is very important and I think this paper is very useful especially most of the sguil users deploy NSM by using commodity hardware and that's what has been used to test in the paper with very impressive result.

I'm quite fascinated by what Bro-IDS offers, though it is not as popular as Snort, however the capabilities of Bro-IDS can't be underestimated at all.

At the time of writing, I have no luck with compiling Bro-IDS 1.1 which is current release on OpenBSD , previous version(0.9) was compiled succesfully however I would like to try out the latest release since it has more advance features and bugfixes.

If you have deployed Bro-IDS, feel free to comment and I would like to know your experience on it.

Peace :]

3 comments:

spoonfork said...

vern paxson has written a lot of interesting research papers on the areas of network intrusion detection:

http://www.icir.org/vern/papers.html

sans said...

could someone please tell me how to profile the pattern matching part of the bro-ids programs

smith said...

which is the best profiling tool for optimizing the bro-ids programs