How to Detect the attacks from the logs


I have installed BRO IDS 1.5.3. I have also installed Broctl. I have BRO IDS and Broctl in Ubuntu 12.04. I am newbie to BRO IDS. I am not getting proper documentation regarding the BRO IDS.I have performed some Denial of Service attack like UDP Storm and TCP Sync attack on my system through some other systems in my network. Log is maintained in the directory usr/local/bro/logs. I am unable to understand the logs. I want to know the following things:

  1. how to detect the attacks from the logs.
  2. How to generate reports regarding attacks automatically
  3. How to get the email regarding the reports.

Please, help me regarding this. I will be highly obliged to you for this.

Hi Diwakar,

The current version of Bro is 2.1 and I think you’d be better served running the more up-to-date version.

As for understanding Logs you can watch the videos from the 2011 Bro Workshop at