rootninja

Bro is an open-source, Unix based network based Intrusion Detection System (NIDS)

Bro is an open-source, Unix based network based Intrusion Detection System (NIDS) developed by Vern Paxson at Lawrence Berkeley National Lab and the International Computer Science Institute that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.

Bro uses a specialized policy language that allows a site to tailor Bro’s operation, both as site policies evolve and as new attacks are discovered. If Bro detects something of interest, it can be instructed to either generate a log entry, alert the operator in real-time, execute an operating system command (e.g., to terminate a connection or block a malicious host on-the-fly). In addition, Bro’s detailed log files can be particularly useful for forensics.

Bro is intended for use by sites requiring flexible, highly customizable intrusion detection. It is important to understand that Bro has been developed primarily as a research platform for intrusion detection and traffic analysis. It is not intended for someone seeking an “out of the box” solution. Bro is designed for use by Unix experts who place a premium on the ability to extend an intrusion detection system with new functionality as needed, which can greatly aid with tracking evolving attacker techniques as well as inevitable changes to a site’s environment and security policy requirements.

How does Bro detect intrusions?

Bro analyzes network traffic against rules describing what sort of activity is deemed troublesome. These rules might describe restrictions on activity (e.g., only certain hosts can connect to certain services), policies regarding what activity is worth alerting (e.g., attempts to a given number of different hosts constitutes a “scan”), or signatures describing known attacks or access to known vulnerabilities.

How does Bro analyze the traffic?

First Bro filters the traffic, discarding elements of minimal important to its analysis. The remaining information is sent to its “event” engine, where Bro interprets the structure of the network packets and abstracts them into higher-level events describing the activity. Finally, Bro executes policy scripts against the stream of events, looking for activity that the rules indicate should generate alerts or actions, such as possible intrusions.