What is Bro?
Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS)
that passively monitors network traffic and looks for suspicious activity.
Bro detects intrusions by first parsing network traffic to extract its
application-level semantics and then executing event-oriented analyzers
that compare the activity with patterns deemed troublesome. Its analysis
includes detection of specific attacks (including those defined by
signatures, but also those defined in terms of events) and unusual
activities (e.g., certain hosts connecting to certain services, or patterns
of failed connection attempts).
Bro uses a specialized
policy language that allows a site to tailor Bro's operation, both as site policies evolve and as new
attacks are discovered. If Bro detects something of interest, it can be instructed to either generate a
log entry, alert the operator in real-time, execute an operating system command (e.g.,
to terminate a connection or block a malicious host on-the-fly). In addition, Bro's detailed log files
can be particularly useful for forensics.
Bro targets high-speed (Gbps), high-volume intrusion detection. By judiciously leveraging packet-filtering
techniques, Bro is able to achieve the necessary performance while running on commercially available PC
hardware, and thus can serve as a cost-effective means of monitoring a site's Internet connection.
Bro's Target Users
Bro is intended for use by sites requiring flexible, highly customizable intrusion detection. It is important
to understand that Bro has been developed primarily as a research platform for intrusion detection and
traffic analysis. It is not intended for someone seeking an "out of the box" solution. Bro is designed
for use by Unix experts who place a premium on the ability to extend an intrusion detection system with
new functionality as needed, which can greatly aid with tracking evolving attacker techniques as
well as inevitable changes to a site's environment and security policy requirements.
Since Bro is open source and runs on commodity PC hardware, it provides a low-cost means to experiment
with alternative techniques. Some sites may wish to run a commercial IDS as their front-line of defense,
and then also run Bro as a way to:
- Verify the results of the commercial IDS / defense-in-depth
- Attain richer forensics capabilities
- Provide policy-checking capabilities not facilitated by the commercial IDS
- Experiment with new approaches and incorporate leading-edge research