Dear Bro Team/Community,
I am studying information security in Gjøvik University College (www.hig.no), master degree.
Present I am writing an article about Bro. In this case I struggle in finding detailed documentation regarding The Bro Policy Script Language.
Can You please help me in this matter?
Thanks!
Best Regards,
Roger Larsen
Network manager & student J
2011/9/28 Roger Larsen - Høgskolen i Gjøvik <roger.larsen@hig.no>
Dear Bro Team/Community,
I am studying information security in Gjøvik University College (www.hig.no), master degree.
Present I am writing an article about Bro. In this case I struggle in finding detailed documentation regarding The Bro Policy Script Language.
Can You please help me in this matter?
Thanks!
Best Regards,
Roger Larsen
Network manager & student J
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Hi Roger,
The Bro team is overhauling their documentation, but all is not lost! My first suggestion would be to check out their workshop here:
http://www-old.bro-ids.org/bro-workshop-2009-2/agenda.html
Also, the documentation is included in the 1.5.3 tarball, however, the docs are dated to about 2004. http://www-old.bro-ids.org has a wiki with more updated docs (2007, I believe).
Also, get a feel for the scripts included with the tarball, as they are very illuminating. They are the *.bro files in the /policy directory after you’ve extracted the tarball.
Bro is very powerful from what little I’ve seen so far. I’m a Snort and Suricata guy, and just recently read Vern Paxson’s, et al, “Robust TCP Reassembly in the Presence of Adversaries” paper and had to dive into Bro.
Martin Holste is a frequent poster here, and has actually written some nice posts on his blog regarding Bro setup and clustering. Check it out here: http://ossectools.blogspot.com/
Hope this helps!
marcos