Bro

Bro is a Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity.

Bro detects intrusions by first parsing network traffic to extract is application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.

Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).

Bro

License Bro License Agreement Developer Vern Paxson Website bro-ids.org Requirements libpcap flex bison or byacc Support: Manuals, FAQ, Wiki, Mailing List Selected Reviews:

Features include:

• Network Based
• Collects, filters, and analyzes traffic that passes through a specific network location
• Custom Scripting Language
• Policy scripts are programs written in the Bro language. They contain the "rules" that describe what sorts of activities are deemed troublesome. They analyze the network activity and initiate actions based on the analysis
• Pre-written Policy Scripts
• Comes with a rich set of policy scripts designed to detect the most common Internet attacks while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the important attack activity
• The supplied policy scripts will run "out of the box" and do not require knowledge of the Bro language or policy script mechanics
• Powerful Signature Matching Facility
• Bro policies incorporate a signature matching facility that looks for specific traffic content.
• Comes with a set of high value signatures policies, selected for their high detection and low false positive characteristics
• Network Traffic Analysis
• Can also analyze network protocols, connections, transactions, data amounts, and many other network characteristics
• Powerful facilities for storing information about past activity and incorporating it into analyses of new activity
• Detection Followed by Action
• Bro policy scripts can generate output files recording the activity seen on the network (including normal, non-attack activity)
• Generate problem alerts to event logs, including the operating system syslog facility
• Scripts can execute programs, which can, in turn, send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with appropriate additional software, insert access control blocks into a router's access control list
• Snort Compatibility Support
• Includes a tool, snort2bro, which converts Snort signatures into Bro signatures. 
• snort2bro also incorporates a large number of enhancements to the standard set of Snort signatures to take advantage of Bro's additional contextual power and reduce false positives
  
  

Last Updated Sunday, March 04 2012 @ 12:27 PM EST