Bro.md - ads8t/security-onion GitHub Wiki

Description

Bro is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.

Usage

Security Onion uses Bro to collect session data and file extrations.

Output

Bro writes logs to /nsm/bro/logs in the form of protocol.log file. At the time of writing, Bro logs are consumed by syslog-ng and stored in ELSA. Examples of protocol.log file format, for more information click the logs.

conn.log
dns.log
ftp.log
http.log
ssl.log
notice.log

Analysis

Besides accessing the Bro logs in the directory shown above, you can also view the files in ELSA.

Configuration

You can configure Bro via bro.local:

local.bro

Main configuration file is local.bro

intel.dat

Intel configuration file is intel.dat

Troubleshooting

If you need to troubleshoot Bro, check the log file: /nsm/bro/logs/reporter.log

Performance

In Security Onion, we compile Bro with [PF_RING](https://github.com/Security-Onion-Solutions/security- onion/wiki/PF_RING) to allow you to spin up multiple Bro instances to handle more traffic.

More Information

For more information about Bro, please see: The Bro Network Security Monitor