Bro.md - ads8t/security-onion GitHub Wiki
Description
From https://www.bro.org/:
Bro is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.
Usage
Security Onion uses Bro to collect session data and file extrations.
Output
Bro writes logs to /nsm/bro/logs
in the form of protocol.log file.
At the time of writing, Bro logs are consumed by syslog-ng and stored in ELSA.
Examples of protocol.log file format, for more information click the logs.
- conn.log
- dns.log
- ftp.log
- http.log
- ssl.log
- notice.log
Analysis
Besides accessing the Bro logs in the directory shown above, you can also view the files in ELSA.
Configuration
You can configure Bro via bro.local:
local.bro
Main configuration file is local.bro
intel.dat
Intel configuration file is intel.dat
Troubleshooting
If you need to troubleshoot Bro, check the log file: /nsm/bro/logs/reporter.log
Performance
In Security Onion, we compile Bro with [PF_RING](https://github.com/Security-Onion-Solutions/security- onion/wiki/PF_RING) to allow you to spin up multiple Bro instances to handle more traffic.
More Information
For more information about Bro, please see: The Bro Network Security Monitor