The scientific seminar today was held by Slobodan and was about the Bro user group at the school. Bro is one the 3 open source intrusion detection software packages as discussed in Intrusion and detection systems. Bro is actually an advanced network monitoring tool that can be scripted to perform misuse and anomaly based intrusion detection, and it is based on high level event generation and heuristic protocol identification. The link to the homepage of the group is the brouser group at guc.

It's certainly an interesting piece of software, and I'll have to dig into it quote soon in order to play with it as a relevant data collector for my thesis.

Some questions were raised after the lecture (basically the slides from the IDS course):

• Integration with operation system events: This is an interesting idea, but importing this into Bro is probably not what you want. You want to use Bro for what is is. A sensor. It's very good at creating events based on network traffic.
  
• Discovering zero days: It is said anomaly based methods can detect zero day attacks and this is kind of true, but in order to understand why: The other kind of detection is called misuse and is where signatures of known attacks are matched with the traffic. A zero day is by definition something we have not seen before and thus no signature exist. Anomaly based is described as having a "signature list" of what is normal (a large database) and notify on miss. Zero days will be missed, but also a lot of unsubscribed zero days. Anomaly based detection systems are therefor perfect for discovery and analysis, while misuse systems are perfect for stopping existing attacks.
  
• Speed of Bro: No answer were given of specifics as it depends on the number of protocols supported and implemented logic, the speed of the machine and the size of memory. It is not multithreaded but it can be set up with load balancers and multiple workers. It's an important question, but it depends on the type of traffic and the configuration.