thoughts on bro

• It provides a nice site-wide view of security

• It’s not disruptive to users

• It’s centrally administered

• Unlike a firewall, which stops badness before it starts, bro’s alarm may come too late

• It can’t flag attacks that are not in its database of known attack signatures

• It can not reliably determine what an end-station is seeing, for a variety of reasons

Previous slide

Next slide

Back to first slide

View graphic version