IDS mailing list archives

announcing Bro

From: Vern Paxson <vern () icir org>
Date: Sun, 17 Nov 2002 22:37:15 -0800
Bro is a high-performance network intrusion detection system.  It is built
around a policy-neutral "event engine" that pieces network packets into
events that reflect different types of activity.  Some events are quite
low-level, such as the monitor seeing a connection attempt; some are specific
to a particular network protocol, such as an HTTP request or reply; and
some reflect high-level notions, such as a user having successfully
authenticated during a login session.

Bro runs the events produced by the event engine through a user-specified
"policy script" written in a high-level, customized language geared towards
network analysis in general and security analysis in particular.  The
policy scripts can maintain and update global state information, write
arbitrary information to disk files, generate new events, call functions
(either user-defined or predefined), generate alerts that produce syslog
messages, or invoke arbitrary shell commands.

Bro is now publicly available in source code form under a BSD-like license,
with a (modest) home page at:

        http://www.icir.org/vern/bro.html

You can get the "stable" 0.7 release from:

        ftp://ftp.ee.lbl.gov/bro-pub-0.7-stable.tar.gz

or the "current" release (with considerably more features, including a
signature engine that can read Snort rules, but unfortunately is not yet
documented) from:

        ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz

Fairly, but not fully, complete documentation is available from:

        http://www.icir.org/vern/bro-manual/index.html
                (split up into many files for quick browsing)

        http://www.icir.org/vern/bro-manual/entire.html
                (a single monolithic file, good for searching)

        http://www.icir.org/vern/bro-manual/manual.ps
                (Postscript, good for printing)

There's a Bro mailing list, too, bro () lbl gov.  To get on it, send a message
to majordomo () listserv lbl gov with "subscribe bro" in the *body*.

                Vern


Vern Paxson

ICSI Center for Internet Research (ICIR)
and  Lawrence Berkeley National Laboratory

vern () icir org, vern () ee lbl gov
Current thread:

announcing Bro Vern Paxson (Nov 17)