Sunday, November 12, 2006

How is your Bro, I meant Bro cluster, the NIDS.

Lawrence Berkeley National Laboratory has developed a comprehensive approach to cyber security that allows the open exchange of scientific knowledge while simultaneously protecting critical resources from attacks -- the Bro intrusion detection system. And now, Bro is Big Bro in the form of a scalable cluster which will demonstrate its effectiveness on a 10 gigabit network connection during the SC06 conference to be held Nov. 11-17 in Tampa. The demo will be featured in LBNL's booth, as I have mentioned before.
But what is Bro? Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract is application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).

So who wants Bro?
Bro is intended for use by sites requiring flexible, highly customizable intrusion detection. It is important to understand that Bro has been developed primarily as a research platform for intrusion detection and traffic analysis. It is not intended for someone seeking an "out of the box" solution. Bro is designed for use by Unix experts who place a premium on the ability to extend an intrusion detection system with new functionality as needed, which can greatly aid with tracking evolving attacker techniques as well as inevitable changes to a site's environment and security policy requirements.

Bro has a lot of features and but most striking for me is;
Snort Compatibility Support
The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro signatures. Along with translating the format of the signatures, snort2bro also incorporates a large number of enhancements to the standard set of Snort signatures to take advantage of Bro's additional contextual power and reduce false positives.
This is what lead me to try Bro.
I guess you need to visit Bro Intrusion Detection System and learn more. Also Br is open source and you can download and try. It runs on a commodity PCs and what a better way find out about the software than running it yourself.

Bro's home, not yours.

No comments: