Few questions...

Is there a main Bro web page? (besides Vern's homepage) Anything like

Not yet.

The plan has long been to wait until the Bro manual is finished before
raising Bro's public profile. But while the manual is about 2/3's done,
finding time to finish it off has proven difficult - I'm definitely
overcommitted on various projects .... :frowning:

Does anyone keep a repository of modules, or is anyone writing/creating new
bro modules?

I integrate modules sent by others. There are a number of new ones that
we're using internally, and will be part of the next Bro alpha release,
scheduled for September.

For instance the code red one could/should easily be modified
for nimda or any other variant. Anyone done this?

Yes, we use it for Code Red 1, Code Red 2, and Nimda. A version was sent
to the mailing list on September 18 (same day Nimda was released). I've
appended the current in-house version, for those interested.

How many sites are actually using Bro?

I don't know.

How many people are on this mailing list?

A bit over 200.

From what experience I have using bro I think it's really good. However, I
see much more advancement/development on packages like Snort, which seem to
have a much higher (more involved?) user community.

This certainly fits with the long-term plan. The key has been waiting for
the right time to "go public", and my sense has been that that should wait
for the manual to be complete. I've been trying to find a way to expedite
this; hearing from folks like you helps in this regard (others in the list,
please do let me know if you've checked out the current manual and do or
do not find the missing elements a significant hindrance).


Dear all,

Since bro is one of the intrusion detection systems, I decided to
ask that is there a commonly accepted definition of what an
intrusion detection system is?

Obviously intrusion detection covers detecting backdoors, which are
accessed with ssh for example. But then, some "intrusion detection"
systems have things like "porn filters" looking for traffic *to* porn
sites etc and I am not sure if this is intrusion detection anymore.

Moving away from a simple backdoor detection for example, I think
intrusion detection becomes more of a political activity. It would
be nice to have a definition what intrusion detection really includes
and what not, because now many people seem to be having own definitions
for intrusion detection and IDS.