Bro (software)
Original author(s) | Vern Paxson |
---|---|
Stable release | 2.3.2 / January 23, 2015 |
Written in | C++ |
Operating system | Linux, FreeBSD, Mac OS X |
Type | Network intrusion detection system |
License | BSD license |
Website | www.bro.org |
Originally written by Vern Paxson, Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build a NIDS but is much more. Bro can also be used for collecting network measurements, conducting forensic investigations, traffic baselining and more. Bro has been compared to tcpdump, Snort, netflow, and Perl (or any other scripting language) all in one. It is released under the BSD license.
Bro Internals
Bro can be conceptualized in two layers
- Bro Event Engine, which analyzes live or recorded network traffic or trace files to generate neutral events.
Bro uses an engine (written in C++) to generate events when "something" happens. This can be triggered by the Bro process, such as just after initialization or just before termination of the Bro process, as well as by something taking place on the network (or trace file) being analyzed, such as Bro witnessing an HTTP request or a new TCP connection. Bro uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to make a best guess at interpreting network protocols. Events are policy neutral in that they are not good or bad but simply signals to script land that something happened. - Bro Policy Scripts, which analyze events to create action policies.
Events are handled from within Bro policy scripts (written in the Turing complete Bro scripting language). By default Bro simply logs information about events to files (Bro also supports logging events in binary output), however it can be configured to take other actions such as sending an email, raising an alert, executing a system command, updating an internal metric and even calling another Bro script. The default behavior produces netflow-like output (conn log) as well as application event information. Bro scripts are able to read in data from external files, such as blacklists, for use within Bro policy scripts.
External links
- Bro IDS Home page
- The original paper describing Bro
- Bruce Schneier: Crypto-Gram June 15, 2014: "The NSA is Not Made Of Magic", likening the NSA tool "X-KEYSTORE" to "Bro plus memory".