big brother is watching
“Bro” passively monitors the network at some key location (say, the border router)
Reconstructs flows and searches for known “attack signatures” -- a manually created database, based on known network attacks
Provides real-time notification of security personnel when it sees something suspicious
Future versions may actively terminate connections by sending forged TCP RST
ftp://ftp.ee.lbl.gov/papers/bro-usenix98-revised.ps.Z