Experiences Learned from Bro

Bro is a system for detecting network intruders in realtime by passively monitoring a network link. Its design emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an "event engine" that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a "policy script interpreter" that interprets event handlers written in a specialized language used to express a site's security policy. Bro has been in production use since early 1996. We discuss the structure of the system and the lessons learned from our experiences, with an emphasis on some of the key challenges for future intrusion detection systems.