Bro Features and Benefits

• Network Based

  Bro is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific network location. A single Bro monitor, strategically placed at a key network junction, can be used to monitor all incoming and outgoing traffic for the entire site. Bro does not use or require installation of client software on each individual, networked computer.

• Rich Application-Layer Analysis

  A primary feature of Bro is that it includes detailed, parser-driven analysis of many popular application protocols. The output of these analyzers is a stream of events that describe observed activity in semantically rich, high-level terms. These events themselves do not constitute security alerts, but rather provide the input for further, stateful processing using Bro's custom scripting language.

• Custom Scripting Language

  Bro policy scripts are programs written in the Bro language. They contain the "rules" that describe what sorts of activities are deemed troublesome. They analyze the network activity and initiate actions based on the analysis. Although the Bro language takes some time and effort to learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually any type of network activity.

• Pre-written Policy Scripts

  Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the important attack activity. These supplied policy scripts will run "out of the box" and do not require knowledge of the Bro language or policy script mechanics.

• Powerful Signature Matching Facility

  Bro policies incorporate a signature matching facility that looks for specific traffic content. For Bro, these signatures are expressed as regular expressions, rather than fixed strings. Bro adds a great deal of power to its signature-matching capability because of its rich language. This allows Bro to not only examine the network content, but to understand the context of the signature, greatly reducing the number of false positives. Bro comes with a set of high value signatures policies, selected for their high detection and low false positive characteristics.

• Network Traffic Analysis

  Bro not only looks for signatures, but can also analyze network protocols, connections, transactions, data amounts, and many other network characteristics. It has powerful facilities for storing information about past activity and incorporating it into analyses of new activity.

• Detection Followed by Action

  Bro policy scripts can generate output files recording the activity seen on the network (including normal, non-attack activity). They can also generate problem alerts to event logs, including the operating system syslog facility. In addition, scripts can execute programs, which can, in turn, send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with appropriate additional software, insert access control blocks into a router's access control list. With Bro's ability to execute programs at the operating system level, the actions that Bro can initiate are only limited by the computer and network capabilities that support Bro.

• Snort Compatibility Support

  The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro signatures. Along with translating the format of the signatures, snort2bro also incorporates a large number of enhancements to the standard set of Snort signatures to take advantage of Bro's additional contextual power and reduce false positives.

Technical Details Overview

Architecturally, Bro is layered into three major components. It uses the now-standard libpcap packet-capture library developed by LBNL's Network Research Group to filter the packet stream in the kernel for high performance.

The filtered packets are then passed along to Bro's event engine, which reduces the filtered stream into a series of higher-level events. These events reflect network activity in policy-neutral terms. That is, what has happened but not why or whether it is significant.

Finally, Bro's policy script interpreter executes event handlers written in the custom Bro scripting language. These scripts express a site's security policy, i.e., what actions to take when the monitor detects different types of activity. The scripting language is very powerful, allowing Bro to track detailed information about the network's activity. Scripts can generate real-time alerts and can also execute arbitrary programs. This last means that Bro can respond to attacks. For example, at LBNL the operational Bro's configuration will sometimes block a remote Internet host from further access to the Laboratory's network, which can be viewed as a form of reactive firewall.