Homework #4 - Network Monitoring - Due Mon Feb 3, 1PM

Turn in this assignment via email (vern@berkeley.edu, plain text/HTML/Word) by the due date, with the term Homework in the Subject.

Read the paper Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999. (It's fine to skip the appendix.)

Briefly write up your views of:

  1. What are the main contributions of this paper?

  2. What parts of the paper do you find unclear? (optional)

  3. What parts of the paper are questionable? (That is, you think a conclusion may be wrong, an approach or evaluation technically flawed, or data ill-presented.)

  4. For many years, Snort was the popular freeware NIDS. It first appeared right around when Bro did. Look over the sections on Writing Snort Rules, Rule Development, and Writing High Performance Pattern Matching Rules in the original Snort paper, pp. 232-234, to get a sense of Snort's model of how to express network monitoring analysis. From this, what do you see as its strengths and weaknesses for detecting attacks? (Do not consult additional references to answer this question.)