An increasing number of institutions are recognizing the need to log network data in large volume and to analyze the data efficiently to detect sophisticated network intrusion attempts affecting their network space. Bro is extremely well suited for these purposes. The information below describes the basics you need to know if your institution is considering a Bro deployment.
Bro is an open-source security monitor or analyzer that facilitates a wide number of traffic-analysis tasks. It is particularly good at analyzing large volumes of network traffic due to its architecture (described in more detail in the section “How does Bro work?”). Bro employs extensive logging capabilities related not only to recording every connection seen on the wire but also to application-level details (for example, port-independent protocol information and identification of data being passed that is not consistent with what is expected for the protocol in question).
One of the chief advantages of Bro is its flexibility. In addition to packaged scripts that have already been written for certain types of data analysis, Bro notably also includes a scripting language to allow the local site to establish domain-specific Bro analytical tasks. Bro is, therefore, both customizable and extremely extensible to large networks.
Special thanks to the HEISC Technologies, Operations, and Practices Working Group for their contributions to this white paper.