Node: General Process Steps, Next: Understand What Triggered the Alarm(s), Previous: Two Types of Triggers, Up: Analysis of Incidents and Alarms
The following steps will both aid the Bro user with uncovering network activity of interest, and also help acquaint the user with the anomalies that Bro detects, together building up an understanding of what constitutes "normal" network traffic for the local site. The analyst might follow each successive step with each incident until a firm determination is made if the incident is malicious or a "false positive".