| | |
Summary: Bro: A System for Detecting Network Intruders in Real-Time
Vern Paxson
Network Research Group
Lawrence Berkeley National Laboratory
Berkeley, CA 94720
vern@ee.lbl.gov
LBNL-41197
Revised January 14, 1998
Abstract
We describe Bro, a stand-alone system for detecting net-
work intruders in real-time by passively monitoring a net-
work link over which the intruder's traffic transits. We give
an overview of the system's design, which emphasizes high-
speed (FDDI-rate) monitoring, real-time notification, clear
separation between mechanism and policy, and extensibility.
To achieve these ends, Bro is divided into an "event engine"
that reduces a kernel-filtered network traffic stream into a se-
ries of higher-level events, and a "policy script interpreter"
that interprets event handlers written in a specialized lan-
|
