|This article relies too much on references to primary sources. (September 2011) (Learn how and when to remove this template message)|
||The neutrality of this article is disputed. (July 2016) (Learn how and when to remove this template message)|
Originally written by Vern Paxson, Bro is an open source Unix based network monitoring framework. Often compared to a network intrusion detection system (NIDS), Bro can be used to build a NIDS but is much more. Bro can also be used for collecting network measurements, conducting forensic investigations, traffic baselining and more. Bro has been compared to tcpdump, Snort, netflow, and Perl (or any other scripting language) all in one. It is released under the BSD license.
|Original author(s)||Vern Paxson|
2.5 / November 16, 2016
|Operating system||Linux, FreeBSD, Mac OS X|
|Type||Network intrusion detection system|
Bro can be conceptualized in two layers
- Bro Event Engine, which analyzes live or recorded network traffic or trace files to generate neutral events.
Bro uses an engine (written in C++) to generate events when "something" happens. This can be triggered by the Bro process, such as just after initialization or just before termination of the Bro process, as well as by something taking place on the network (or trace file) being analyzed, such as Bro witnessing an HTTP request or a new TCP connection. Bro uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to make a best guess at interpreting network protocols. Events are policy neutral in that they are not good or bad but simply signals to script land that something happened.
- Bro Policy Scripts, which analyze events to create action policies.
Events are handled from within Bro policy scripts (written in the Turing complete Bro scripting language). By default Bro simply logs information about events to files (Bro also supports logging events in binary output), however it can be configured to take other actions such as sending an email, raising an alert, executing a system command, updating an internal metric and even calling another Bro script. The default behavior produces NetFlow-like output (conn log) as well as application event information. Bro scripts are able to read in data from external files, such as blacklists, for use within Bro policy scripts.
Most Bro analyzers are located in Bro's event engine with an accompanying policy script. The policy script can be customized by the user. The analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis . Bro's has been designed so that it is easy to add additional analyzers. Some application layer analyzers included with Bro are HTTP, FTP, SMTP and DNS amongst others. Other non-application layer analyzers include analyzers that detect host or port scans, intermediary hosts and syn-floods. Bro also includes signature detection and allows the import of Snort signatures.