Hi Dan,
There are various ways one can use to detect anomaly using Bro based on the network traffic.
Use of Intel FW and Scan scripts with Bro gives a start to detect different types of scanning and other suspicious activity going on in the network.
Not sure what’s exactly your use-case is regarding NSL-KDD training sets with Bro.
Are you trying to use Bro generated network data as the test set for your classifiers/learning algos?, or trying to feed Bro with the NSL-KDD training sets? I don’t think machine learning is currently being supported by Bro.
Or I might have mis-understood the question 
-Fatema.
My take is that while Bro has the intel framework and bro scripts to classify and alert on traffic, the real anomaly detection/heavy lifting should be done where the bro data is stored. We use Bro as a (big) data source for analytics and discovery.
There are several plugins https://github.com/bro/bro-plugins where you can move/process the Bro data. If you like Python/Pandas/Scikit-Learn you might try the Python BroThon package (https://github.com/Kitware/BroThon) which I started working on… we’re working on anomaly detection using scikit-learn i-forests and some other stuff with it…
If you want to use Bro Scripts there might be some examples here to start playing around with:
Hi Brian,
This looks really interesting, didn’t know about the python package available for Bro data.
recently I took a course on search and data mining, and wondered if it can be done on Bro data,
your post comes at perfect timing will play around with it. Thanks!
-Fatema.