Bro.md - ads8t/security-onion GitHub Wiki

Description

From https://www.bro.org/:

Bro is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.

Usage

Security Onion uses Bro to collect session data and file extrations.

Output

Bro writes logs to /nsm/bro/logs in the form of protocol.log file. At the time of writing, Bro logs are consumed by syslog-ng and stored in ELSA. Examples of protocol.log file format, for more information click the logs.

  • conn.log
  • dns.log
  • ftp.log
  • http.log
  • ssl.log
  • notice.log

Analysis

Besides accessing the Bro logs in the directory shown above, you can also view the files in ELSA.

Configuration

You can configure Bro via bro.local:

local.bro

Main configuration file is local.bro

intel.dat

Intel configuration file is intel.dat

Troubleshooting

If you need to troubleshoot Bro, check the log file: /nsm/bro/logs/reporter.log

Performance

In Security Onion, we compile Bro with [PF_RING](https://github.com/Security-Onion-Solutions/security- onion/wiki/PF_RING) to allow you to spin up multiple Bro instances to handle more traffic.

More Information

For more information about Bro, please see: The Bro Network Security Monitor