Hello!
I want to ask you if BRO ids can totally replace the following software:
- nprobe
- ngrep
- tcpdump
- and tcpflow
Thank you in advance!
panos
Instead of pointing to tools and asking if Bro can replace them, could you explain tasks you need to accomplish with a network monitoring tool? All of those tools have a lot of functionality and Bro certainly doesn't implement every bit of functionality they have. 
.Seth
I am sorry for my incomplete question.
Here are the functionalities we need:
nprobe => convert raw network traffic to netflow format
ngrep => extract fields from incoming and outgoing HTTP traffic (url, referer, ...)
tcpdump => store size-limited TCP session (for an incoming SSH connection for example)
tcpflow => reconstruct TCP flows for given sessions (given source ip for example)
Thank you,
Panos
nprobe => convert raw network traffic to netflow format
Bro doesn't output netflow, but we have a connection analyzer and scripts that output a file named conn.log which is similar but with more information.
ngrep => extract fields from incoming and outgoing HTTP traffic (url, referer, …)
I don't know if I would say that is a capability of ngrep. I guess in some cases it works for that, but the Bro 2.0 beta does a much better job.
tcpdump => store size-limited TCP session (for an incoming SSH connection for example)
tcpdump doesn't even do this (that I know of). We have a tool named Time Machine that can do this and more though. It should be getting more attention and work done on it soon too.
tcpflow => reconstruct TCP flows for given sessions (given source ip for example)
Yes
Try the 2.0 beta from our site. It's much easier to begin using that the current 1.5 release. You should be able to have some output in just a few minutes. Our quick start guide is available here:
http://www.bro-ids.org/documentation-beta/quickstart.bro.html
.Seth