Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. It detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.
It uses a specialized policy language that allows a site to tailor Bro’s operation, both as site policies evolve and as new attacks are discovered. If Bro detects an event, it can be instructed to either generate a log entry, alert the operator in real-time or, execute an operating system command.
Bro is layered into three major components. It uses the now-standard libpcap packet-capture library. The filtered packets are then passed along to Bro’s event engine, which reduces the filtered stream into a series of higher-level events. These events reflect network activity in policy-neutral terms. Finally, Bro’s policy script interpreter executes event handlers written in the custom Bro scripting language.
These are the Bro’s features:
- Network Based
Bro is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific network location. A single Bro monitor, strategically placed at a key network junction, can be used to monitor all incoming and outgoing traffic for the entire site. Bro does not use or require installation of client software on each individual, networked computer.
- Rich Application-Layer Analysis
A primary feature of Bro is that it includes detailed, parser-driven analysis of many popular application protocols. The output of these analyzers is a stream of events that describe observed activity in semantically rich, high-level terms. These events themselves do not constitute security alerts, but rather provide the input for further, stateful processing using Bro’s custom scripting language.
- Custom Scripting Language
Bro policy scripts are programs written in the Bro language. They contain the “rules” that describe what sorts of activities are deemed troublesome. They analyze the network activity and initiate actions based on the analysis. Although the Bro language takes some time and effort to learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually any type of network activity.
- Pre-written Policy Scripts
Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the important attack activity. These supplied policy scripts will run “out of the box” and do not require knowledge of the Bro language or policy script mechanics.
- Powerful Signature Matching Facility
Bro policies incorporate a signature matching facility that looks for specific traffic content. For Bro, these signatures are expressed as regular expressions, rather than fixed strings. Bro adds a great deal of power to its signature-matching capability because of its rich language. This allows Bro to not only examine the network content, but to understand the context of the signature, greatly reducing the number of false positives. Bro comes with a set of high value signatures policies, selected for their high detection and low false positive characteristics.
- Network Traffic Analysis
Bro not only looks for signatures, but can also analyze network protocols, connections, transactions, data amounts, and many other network characteristics. It has powerful facilities for storing information about past activity and incorporating it into analyses of new activity.
- Detection Followed by Action
Bro policy scripts can generate output files recording the activity seen on the network (including normal, non-attack activity). They can also generate problem alerts to event logs, including the operating system syslog facility. In addition, scripts can execute programs, which can, in turn, send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with appropriate additional software, insert access control blocks into a router’s access control list. With Bro’s ability to execute programs at the operating system level, the actions that Bro can initiate are only limited by the computer and network capabilities that support Bro.
- Snort Compatibility Support
The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro signatures. Along with translating the format of the signatures, snort2bro also incorporates a large number of enhancements to the standard set of Snort signatures to take advantage of Bro’s additional contextual power and reduce false positives.
You can download the version 1.4 here.
Related External Links
- Bro – Network Intrusion Detection System | rootninja
- Top Wireless Hack Tools Packet Sniffers | netstat -an | grep -i listen
- Titip « SMK NAHDLATUTH THALABAH
You must log in to post a comment.