Chinese Yellow Pages | Classifieds | Knowledge | Tax | IME

Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An event could be a user logon to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that’s the Policy Script Interpreter. This policy engine has it’s own language ( Bro-Script ) and it can do some very powerful and versatile tasks.


echo ‘deb /’ >> /etc/apt/sources.list.d/bro.list

wget –quiet -O –
| apt-key add –

apt-get update
apt-get install bro

config and run

cd /opt/bro;

change  etc/node.cfg ( update to your monitoring NIC interface)


type start

it will generate some logs files under /opt/bro/logs ( may need to stop to force flush the log)

Sample Results:

zcat 2016-05-16/weird.11:05:51-11:09:28.log.gz
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field –
#path weird
#open 2016-05-16-11-05-51
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1463411151.693423 CupmIg2gzB8ED3oBw7 57920 443 bad_TCP_checksum-F bro
1463411156.329354 CQSTmd4CSCV5Eyo7Qf 5555 44240 bad_TCP_checksum-F bro
1463411159.593437 C6NccT3FY2AJ5M8bVb 60299 53 bad_UDP_checksum-F bro
1463411159.632785 C6NccT3FY2AJ5M8bVb 60299 53 dns_unmatched_reply – F bro
1463411159.669412 C1G1j51ikJNpI60tY1 40219 53 dns_unmatched_reply – F bro
1463411159.693446 Cdgva33A5K4z34LVil 36313 53 dns_unmatched_reply – F bro
1463411159.713431 CwWQFl1ohbKfAQ7mQ5 34110 53 dns_unmatched_reply – F bro



Leave a Reply

Your email address will not be published. Required fields are marked *