mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 23:28:20 +00:00
143 lines
6.4 KiB
Text
143 lines
6.4 KiB
Text
|
|
@menu
|
|
* What is Bro? ::
|
|
* Bro features and benefits ::
|
|
* Getting more Information ::
|
|
@end menu
|
|
|
|
@node What is Bro?
|
|
@section What is Bro?
|
|
@cindex Network Intrusion Detection System
|
|
|
|
Bro is a Unix-based Network Intrusion Detection System (IDS). Bro monitors network traffic and detects intrusion attempts based on the traffic
|
|
characteristics and content. Bro detects intrusions by passing network traffic through rules describing events that are deemed troublesome. These rules
|
|
might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alarming (e.g., attempts to a given number of different hosts constitutes
|
|
a "scan"), or signatures describing known attacks or access to known vulnerabilities. If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command (such as sending email, or creating a router entry to block an address).
|
|
|
|
Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques,
|
|
Bro is able to achieve the performance necessary to do so while running on commercially
|
|
available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection.
|
|
|
|
|
|
@node Bro features and benefits
|
|
@section Bro features and benefits
|
|
|
|
@itemize
|
|
@item @strong{Network Based}
|
|
@quotation
|
|
Bro is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific
|
|
network location. A single Bro monitor, strategically placed at a key network junction, can be
|
|
used to monitor all incoming and outgoing traffic for the entire site. Bro does not use or
|
|
require installation of client software on each individual, networked computer.
|
|
@end quotation
|
|
|
|
@item @strong{Custom Scripting Language}
|
|
@quotation
|
|
Bro policy scripts are programs written in the Bro language. They contain the "rules" that
|
|
describe what sorts of activities are deemed troublesome. They analyze the network activity and
|
|
initiate actions based on the analysis. Although the Bro language takes some time and effort to
|
|
learn, once mastered, the Bro user can write or modify Bro policies to detect and notify or alarm on virtually
|
|
any type of network activity.
|
|
@end quotation
|
|
|
|
@item @strong{Pre-written Policy Scripts}
|
|
@quotation
|
|
Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks
|
|
while limiting the number of false positives, i.e., alarms that confuse uninteresting activity with the
|
|
important attack activity. These supplied policy scripts will run "out of the box" and do not
|
|
require knowledge of the Bro language or policy script mechanics.
|
|
@end quotation
|
|
|
|
@item @strong{Powerful Signature Matching Facility}
|
|
@quotation
|
|
Bro policies incorporate a signature matching facility that looks for specific traffic content. For
|
|
Bro, these signatures are expressed as regular expressions, rather than fixed strings. Bro adds a
|
|
great deal of power to its signature-matching capability because of its rich language. This allows
|
|
Bro to not only examine the network content, but to understand the context of the signature,
|
|
greatly reducing the number of false positives. Bro comes with a set of high-value signatures,
|
|
selected for their high detection and low false positive characteristics,
|
|
as well as policy scripts that perform more detailed analysis.
|
|
@end quotation
|
|
|
|
@item @strong{Network Traffic Analysis}
|
|
@quotation
|
|
Bro not only looks for signatures, but also analyzes network protocols, connections,
|
|
transactions, data volumes, and many other network characteristics. It has powerful facilities for
|
|
storing information about past activity and incorporating it into analyses of new activity.
|
|
@end quotation
|
|
|
|
@item @strong{Detection Followed by Action}
|
|
@quotation
|
|
Bro policy scripts can generate output files recording the activity seen on the network (including
|
|
normal, non-attack activity). They can also send alarms to event logs, including the
|
|
operating system @emph{syslog} facility. In addition, scripts can execute programs, which can, in turn,
|
|
send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with
|
|
appropriate additional software, insert access control blocks into a router's access control list.
|
|
With Bro's ability to execute programs at the operating system level, the actions that Bro can
|
|
initiate are only limited by the computer and network capabilities that support Bro.
|
|
@end quotation
|
|
|
|
@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support}
|
|
@cindex Snort
|
|
@quotation
|
|
The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro
|
|
signatures. Along with translating the format of the signatures, snort2bro also incorporates a large
|
|
number of enhancements to the standard set of Snort signatures to take advantage of Bro's
|
|
additional contextual power and reduce false positives.
|
|
@end quotation
|
|
|
|
|
|
@end itemize
|
|
|
|
@node Getting more Information
|
|
@section Getting more Information
|
|
|
|
@itemize
|
|
@item @strong{Reference manual}
|
|
@quotation
|
|
An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language
|
|
@end quotation
|
|
|
|
@item @strong{FAQ}
|
|
@cindex FAQ
|
|
@quotation
|
|
Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}.
|
|
If you have a question not already covered
|
|
in the FAQ, send it to us and we'll add it.
|
|
@end quotation
|
|
|
|
@item @strong{E-mail list}
|
|
@cindex Email list
|
|
@quotation
|
|
Send questions on any Bro subject to bro@@bro-ids.org
|
|
The list is frequented by all of the Bro developers.
|
|
|
|
You can subscribe by going to the website:
|
|
@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro},
|
|
@*
|
|
or by placing the following command in either the subject or the body of a message addressed to
|
|
bro-request@@icsi.berkeley.edu.
|
|
|
|
@example
|
|
subscribe [password] [digest-option] [address=<address>]
|
|
@end example
|
|
|
|
A password must be given to
|
|
unsubscribe or change your options. Once subscribed to the
|
|
list, you'll be reminded of your password periodically.
|
|
The "digest-option" may be either: "nodigest" or "digest" (no
|
|
quotes!). If you wish to subscribe an address other than the
|
|
address you use to send this request from, you may specify
|
|
"address=<email address>" (no brackets around the email
|
|
address, no quotes!)
|
|
|
|
@end quotation
|
|
|
|
@item @strong{Website}
|
|
@quotation
|
|
The official Bro website is located at:
|
|
@uref{http://www.bro-ids.org}.
|
|
It contains all of the above documentation and more.
|
|
@end quotation
|
|
|
|
@end itemize
|