Node: Analysis of Incidents and Alarms, Next: , Previous: Running Bro, Up: Top



Analysis of Incidents and Alarms

Rule one: There are no rules ....

This section describes a specific procedure that can be followed with each "incident" that Bro uncovers, but one must keep in mind that intrusion detection is not a static problem. The perpetrators of intrusions and malicious network activity are constantly changing their techniques with the express purpose of evading detection. Unexpected activities are often found by investigation of seemingly innocuous network oddities or serendipitous inspection of logs. While Bro is an exceptionally useful tool for collecting, sorting, analyzing and flagging suspect network data, it cannot be expected to flag all new, cleverly disguised attacks. Nor can it be expected to differentiate with 100% accuracy between aberrant, but legitimate, user behavior and a malicious attack. Sometimes a strong curiosity is an analyst's best friend and Bro is the vehicle for allowing him or her to follow that curiosity.