Hi all,

Just to verify before setting up Bro, this IDS is not IP-based, correct? It looks like it is not, but I just want to be certain.


Dan Manzo

What do you mean by IP-based? Are you asking if it is designed for intrusion prevention? The answer to that would be no.

Bro gives you pretty much all the information you’d ever want to know about your network traffic, but leaves it to the analyst to decide what is good and what is bad.


Okay, I meant IP address based. By that I mean - are there any settings or configuration files that require specific IPs to be set in order for Bro to work? I’m trying to explain to my colleague how Bro works, but having a hard time myself. From my understanding it doesn’t need any IP addresses, and will monitor whatever traffic is incoming from the server’s NICs. Is this correct?


Dan Manzo

Ah. You are correct, the listening interface can be set to promiscuous mode without having any assigned IP. Bro will analyze anything that that interface receives.

You should consider setting your local subnets in $BROPATH/etc/networks.cfg

For some policies that helps Bro know what to treat as local hosts versus external.