[Bro] Tuning Bro

Sravan Bhamidipati bsravanin at gmail.com
Wed Jul 18 14:24:27 PDT 2012


I am a grad student trying to get acquainted with Bro. I have tried using
it on a few datasets available (including the old DARPA ones). I am able to
get logs and notices and weirds, but I have doubts about Bro configuration:

1. How do the IP ranges specified in Site::local_nets and networks.cfg
affect Bro's monitoring? Do they have different use cases, or can they be
used interchangeably? Or do they have nothing to do with each other? (As of
now, my Site::local_nets and networks.cfg are identical.)

2. From my layman's understanding, given a PCAP, the larger the window of
time and the number of packets that a system looks at the more accurate its
detection could be, the tradeoff being that of memory/performance. (I guess
there won't be any packet dropping when reading PCAPs.) Is that true?

3. For someone who doesn't know much about the Bro language, are there any
generic configuration settings or tunables that might improve detection
rates? Like the maximum size up to which a packet is read, or the number of
packets that Bro simultaneously analyzes. (Snort has some parameters along
these lines.)

4. How does Bro handle packet defragmentation and stream reassembly? Is
there documentation for the internals, about the various components and
analyzers and how they analyze traffic? I am looking for a basic

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120718/11aa23a8/attachment.html 

More information about the Bro mailing list