Summary: Bro: A System for Detecting Network Intruders in Real-Time
Network Research Group
Lawrence Berkeley National Laboratory
Berkeley, CA 94720
Revised January 14, 1998
We describe Bro, a stand-alone system for detecting net-
work intruders in real-time by passively monitoring a net-
work link over which the intruder's traffic transits. We give
an overview of the system's design, which emphasizes high-
speed (FDDI-rate) monitoring, real-time notification, clear
separation between mechanism and policy, and extensibility.
To achieve these ends, Bro is divided into an "event engine"
that reduces a kernel-filtered network traffic stream into a se-
ries of higher-level events, and a "policy script interpreter"
that interprets event handlers written in a specialized lan-