In this section we discuss the difficult problem of defending the monitor against attacks upon itself. We defer discussion of Bro's application-specific processing until after this section, because elements of that processing reflect attempts to defeat the types of attacks we describe here.
As discussed in § 1, we assume that such attackers have full access to the monitor's algorithms and source code; but also that they have control over only one of the two connection endpoints. In addition, we assume that the cracker does not have access to the Bro policy script, which each site will have customized, and should keep well protected.
While previous work has addressed the general problem of testing intrusion detection systems [PZCMO96], this work has focussed on correctness of the system in terms of whether it does indeed recognize the attacks claimed. To our knowledge, the literature does not contain any discussion of attacks specifically aimed at subverting a network intrusion detection system, other than the discussion in [PZCMO96] of the general problem of the monitor failing to keep up due to high load.
For our purposes, we classify network monitor attacks into three categories: overload, crash, and subterfuge. The remainder of this section defines each category and briefly discusses the degree to which Bro meets that class of threat.