Tutorial M3 – The Bro Network Intrusion Detection System

Dr. Vern Paxson & Dr. Robin Sommer, International Computer Science Institute

Monday, December 7th, Full Day

This tutorial will give an introduction to the Bro network intrusion detection system, a flexible open-source system running on commodity hardware that has been actively developed by the presenters since 1996. The Bro system provides a powerful means for expressing network security analysis tasks at different semantic levels and is not tied to any particular detection approach. Bro achieves its rich, semantic processing by providing a domain-specific analysis language that makes it fully customizable to a site's security policy. Bro is used operationally in many large-scale environments, including the Lawrence Berkeley National Laboratory, where both presenters hold joint appointments and are directly involved with cyber-security operations. Bro has also been used in numerous research studies aimed at understanding the specifics of network traffic, sometimes independent of security aspects.

The tutorial will provide attendees with an in-depth understanding of operating the Bro NIDS. We will present an overview of the system's philosophy & architecture, and provide a step-by-step introduction to using the system effectively. A particular focus of the tutorial will be learning Bro's scripting language. After the tutorial, attendees will be able to write their own, site-specific analysis scripts. In addition, we will cover a range of more specific topics, including interfacing Bro with external applications, which will allow attendees to integrate the system into their existing setups.

The tutorial's content will be based on past "Bro Hands-On Workshops" that we have held quite successfully at the San Diego Supercomputer Center in 2007 and at UC Berkeley in 2009. The workshops were attended by network operators from academia, industry and government sites. The tutorial hand-outs will include slides as well as a number of hands-on exercises (with solutions) for attendees to practice what they have learned.


  1. Bro Design Overview: System philosophy; Architecture
  2. Installing the Bro NIDS: Compilation & installation; Basic command-line usage
  3. Basics of Using Bro: Typical Bro usage; Basic customization
  4. Scripting Language Overview: Syntax; Data types; Example scripts
  5. Advanced Bro Scripting: State management & persistence; Signatures; Profiling & debugging
  6. Bro Communication: Inter-Bro communication; Interfacing with external applications
  7. The Time Machine: Interfacing Bro with a packet bulk recorder
  8. The Bro Cluster: Architecture; Operation


The tutorial is primarily targeted at two groups of attendees: security staff of network environments considering an operational deployment of the Bro NIDS; and academic researchers and students with the need for a flexible network traffic analysis platform. We do not assume any prior knowledge about using Bro, though attendees should be familiar with Unix shell usage and have a comfortable understanding of Internet protocols and tools for examining network traffic (e.g., tcpdump or Wireshark).

About the Instructors

Dr. Vern Paxson is an Associate Professor in Electrical Engineering and Computer Sciences at the University of California, Berkeley, and also has affiliations with the International Computer Science Institute and the Lawrence Berkeley National Laboratory. His main active research projects are network intrusion detection in the context of Bro, a high-performance network intrusion detection system he developed; network measurement and analysis; and the threat of botnets and the underground economy that they fuel. He has served as program chair or co-chair for USENIX Security, ACM SIGCOMM, ACM HotNets, and the IEEE Symposium on Security and Privacy. He is an ACM Fellow and recipient of the 2008 ACM Grace Murray Hopper Award for his work on Internet measurement.

Dr. Robin Sommer is a staff researcher at the International Computer Science Institute in Berkeley, and he is also a member of the cyber-security team at the Lawrence Berkeley National Laboratory. His research focus is on network security monitoring in high-performance, operational settings, and he is one of the core developers of the Bro system. He chaired the 2007 DIMVA conference and has served on several academic program committees. He holds a doctoral degree from TU Munich, Germany.