Missing notifications in Bro

Dear Bro Community,

I am graduate student at Gjøvik University College in Norway.

I was hoping to compare the detection rate in Bro and Snort regarding some network attacks (using NMAP).

I’m not so familiar with Bro and after some hours of work I still have not found any log file telling me that Bro have detected an attack…

I have read a lot of the documentation on Your web page.

My questions are the following;

#1 - How much can Bro’s default base installation tell me regarding attack events (notifications)? (I use the fresh Bro 2.0)

#2 - Can I easily get more notification LOG’s from attack events?

Thank You!

Best Regards,

Roger Larsen

master IS student

I was hoping to compare the detection rate in Bro and Snort regarding some network attacks (using NMAP).

We don't focus heavily on attacks, only where it makes sense for us. Nmap being using on the network would be detected as a scan and for our 2.0 release we don't have our scan detector in place right now. It's in our contributed scripts repository and will probably return soon, but for right now it's not in the default distribution.

I will say now though that comparing the detection rate between Snort and Bro is not a good thing to compare. There is a lot more to Bro than just running it and detecting a single incident of something in a tracefile.

#1 - How much can Bro's default base installation tell me regarding attack events (notifications)? (I use the fresh Bro 2.0)
#2 - Can I easily get more notification LOG's from attack events?

Doing a comparison like this is heavily weighted in Snort's favor because you're looking for Bro to do what the Snort community focuses on and not what we focus on. A poor comparison in the opposite direction would be to see what activity recording logs Snort outputs for various protocols (it doesn't do much), what correlation capabilities it has (it barely has any), or what it's programming programming language can do (it doesn't have one).

Please don't try to compare Bro with Snort in this way. We would love for you to write a paper involving Bro but not where the comparison is weighted against us from the beginning. Feel free to follow up if you'd like to search for a more fair comparison together.

Thanks!
.Seth