Bro (software)

Originally written by Vern Paxson, Bro is an open source Unix based network monitoring framework. Often compared to a network intrusion detection system (NIDS), Bro can be used to build a NIDS but is much more. Bro can also be used for collecting network measurements, conducting forensic investigations, traffic baselining and more. Bro has been compared to tcpdump, Snort, netflow, and Perl (or any other scripting language) all in one. It is released under the BSD license.

Bro can be conceptualized in two layers

Most Bro analyzers are located in Bro's event engine with an accompanying policy script. The policy script can be customized by the user. The analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis. Bro's has been designed so that it is easy to add additional analyzers. Some application layer analyzers included with Bro are HTTP, FTP, SMTP and DNS amongst others. Other non-application layer analyzers include analyzers that detect host or port scans, intermediary hosts and syn-floods. Bro also includes signature detection and allows the import of Snort signatures.