Bro is more a network monitor than an anomaly detector. If you wish
to write an anomaly detector, Bro’s domain scripting language will greatly
simplify network analysis for you. I believe Bro doesn’t have the more involved
machine learning style anomaly detection* at the moment. However, there are
some scripts for detection of SSH brute forcing, SQL injection attacks and
malicious network scan that rely on deviation from a threshold. You will
find these scripts in the directory /usr/local/bro/share/bro/scripts/policy (you might
need to adjust the path depending on where you installed Bro on your machine).
There is a new framework SumStats** (Bro frameworks are similar to what we call
libraries in most other languages–they facilitate tasks which would be otherwise
rather tedious to perform) that simplifies the overall task of performing measurements
over network data. Hope this helps.
- You might be interested in looking at the paper  to know why.