Cluster Bro [5] begins with standard Bro with some modified policy scripts and roll assignments. One system is assigned to be the manager, the single node responsible for reporting all alerts and performing any response actions (such as activating ACL blocks). One or more systems are proxies. These proxies control shared data structures (such as for scan detection) and coordinate communication between cluster nodes.
The final Bro systems are sensor nodes. These sensor nodes process the individual communication between hosts. For more global analysis, such as scan detection, the sensor nodes communicate updates to the proxies. Likewise, alerts are reported to the manager node which performs aggregation.
Additionally, Cluster Bro requires a load balancer, either in software or hardware. The load balancer performs a simple hash on the (SRC IP, DST IP) tuple, and then sends the packet to the correct sensor by overwriting the destination MAC address.