announcing Bro

Bro is a high-performance network intrusion detection system. It is built around a policy-neutral "event engine" that pieces network packets into events that reflect different types of activity. Some events are quite low-level, such as the monitor seeing a connection attempt; some are specific to a particular network protocol, such as an HTTP request or reply; and some reflect high-level notions, such as a user having successfully authenticated during a login session.

Bro runs the events produced by the event engine through a user-specified "policy script" written in a high-level, customized language geared towards network analysis in general and security analysis in particular. The policy scripts can maintain and update global state information, write arbitrary information to disk files, generate new events, call functions (either user-defined or predefined), generate alerts that produce syslog messages, or invoke arbitrary shell commands.

Bro is now publicly available in source code form under a BSD-like license, with a (modest) home page at:

        http://www.icir.org/vern/bro.html

You can get the "stable" 0.7 release from:

        ftp://ftp.ee.lbl.gov/bro-pub-0.7-stable.tar.gz

or the "current" release (with considerably more features, including a signature engine that can read Snort rules, but unfortunately is not yet documented) from:

        ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Fairly, but not fully, complete documentation is available from:

	
http://www.icir.org/vern/bro-manual/index.html

		(split up into many files for quick browsing)



	
http://www.icir.org/vern/bro-manual/entire.html

		(a single monolithic file, good for searching)



	
http://www.icir.org/vern/bro-manual/manual.ps

		(Postscript, good for printing)

There's a Bro mailing list, too, bro@lbl.gov. To get on it, send a message to majordomo@listserv.lbl.gov with "subscribe bro" in the *body*.

                Vern

Vern Paxson

ICSI Center for Internet Research (ICIR) and Lawrence Berkeley National Laboratory

vern@icir.org, vern@ee.lbl.gov Received on Mon Nov 18 02:15:19 2002