[Bro-Dev] feedback from a would-be user - bite-sized Bro explanations needed

Vern Paxson vern at icir.org
Mon May 7 12:06:04 PDT 2012 

This is someone who's a skilled hacker-type who on a recent thread on a
private list heard about Bro as a potential solution for his home network
monitoring.  Note that he offers at the end to review stuff (though I kept
this anonymous for now, since that's the strong culture of that list due
to its private nature).

		Vern


> I have a bit of feedback - really, a suggestion. I hope you take this
> in the spirit it's intended. I'm not armchair quarterbacking, I really
> would like to read this stuff.
> 
> After perusing both Bro-ids.org and Wikipedia, I couldn't find any
> document that explains what Bro _really is_ (not just the features
> listed on the front page), what the architecture is, what the intended
> use cases are and how you expect it to be used.
> 
> I find a lot of open source projects miss this, but especially for
> Bro, it'd be really helpful if you had something that could cover
> that. I looked at the installation guide, quick start guide, and even
> some of the configuration stuff.
> 
> It looks like Bro is light years beyond what I've used before - but
> without downloading it and playing with it, I can't know. And frankly,
> I'm so pressed for time (and don't have an environment in which I'm
> comfortable inserting software just to play with it), I'm never going
> to prioritize it unless I know what I'm going to get out of it.
> 
> Often times, when projects' web sites come up short on basic info, I
> check Wikipedia which furnishes more. Check out Bro's page:
> 
> http://en.wikipedia.org/wiki/Bro_%28software%29
> 
> Ouch, no help there. The link from Wikipedia's IDS page points to this
> page, not bro-ids.org. Furthermore, that link is undifferentiated from
> the others. I figure since snort's the best-known of the bunch, most
> people are likely to click through to snort without ever considering
> bro.
> 
> http://en.wikipedia.org/wiki/Intrusion_Detection_System
> 
> I'm sure you don't need a marketing lecture from me, and I'm sure
> you're probably too busy to do this stuff, but even if you can't do
> anything about this yourself, perhaps there's someone on the project
> you could forward this e-mail to. Let me know if there's anything I
> can do to help (I can review, etc).

More information about the bro-dev mailing list