From Wikipedia, the free encyclopedia
  (Redirected from Bro (software))
Jump to navigation Jump to search
Original author(s) Vern Paxson
Stable release
2.5.5 / August 28, 2018; 50 days ago (2018-08-28)[1]
Repository Edit this at Wikidata
Written in C++
Operating system Linux, FreeBSD, macOS
Type Network intrusion detection system
License BSD license
Website www.bro.org

Bro is a free and open-source software network analysis framework; it was originally developed in 1994 by Vern Paxson and was named in reference to George Orwell's Big Brother from his novel Nineteen Eighty-Four. It can be used as a network intrusion detection system (NIDS) but with additional live analysis of network events.[2] It is released under the BSD license.

Bro's application architecture[edit]

IP packets captured with pcap are transferred to an event engine which accepts or rejects them. The accepted packets are forwarded to the policy script interpreter.

The event engine analyzes live or recorded network traffic or trace files to generate neutral events. It generates events when "something" happens. This can be triggered by the Bro process, such as just after initialization or just before termination of the Bro process, as well as by something taking place on the network (or trace file) being analyzed, such as Bro witnessing an HTTP request or a new TCP connection. Bro uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to make a best guess at interpreting network protocols. Events are policy neutral in that they are not good or bad but simply signals to script land that something happened.

Events are handled by policy scripts, which analyze events to create action policies. The scripts are written in the Turing complete Bro scripting language. By default Bro simply logs information about events to files (Bro also supports logging events in binary output); however, it can be configured to take other actions such as sending an email, raising an alert, executing a system command, updating an internal metric and even calling another Bro script. The default behavior produces NetFlow-like output (conn log) as well as application event information. Bro scripts are able to read in data from external files, such as blacklists, for use within Bro policy scripts.

Bro analyzers[edit]

Most Bro analyzers are located in Bro's event engine with an accompanying policy script. The policy script can be customized by the user. The analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis.[3] Bro has been designed so that it is easy to add additional analyzers. Some application layer analyzers included with Bro are HTTP, FTP, SMTP and DNS amongst others. Other non-application layer analyzers include analyzers that detect host or port scans, intermediary hosts and syn-floods. Bro also includes signature detection and allows the import of Snort signatures.


  1. ^ "Releases – bro/bro". Retrieved 31 August 2018 – via GitHub.
  2. ^ McCarty, Ronald. "Bro IDS » ADMIN Magazine". ADMIN Magazine. Retrieved 2018-07-11.
  3. ^ Sommer, Robin (2003). "Bro: An Open Source Network Intrusion Detection System". citeseerx.ist.psu.edu. Munich, Germany: Computer Science Department TU München. CiteSeerX Retrieved 2018-07-11.

External links[edit]