Bro's capabilities

Hi all,

I have a question about the Bro’s capabilities.

Could you please detail how Bro works ? I know Bro has “protocol analysis” capabilities for some protocols and is a “behavior-based” IDS.

If I understand well, Bro can learn the way a network is used (like a machine learning) and then dissect all the protocols he can parse (http, ftp, …) to see if the fields’ values of these procoles were recorded at the learning phase ?

Thanks for your answers.