Bro (http://www.bro-ids.org/) is a NIDS, with a twist. Bro supports signature analysis, and in fact can read Snort signatures. (Snort is one of the most popular NIDS available.) Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion. For example, many companies use the so-called RFC 1918 private addresses 192.168.1.0/24 for internal networks. Bro can be configured to identify an intrusion based upon seeing the 192.168.1.0/24 network on an external interface, which likely means someone is spoofing the address in an effort to “scale” the firewall and send traffic to the internal network.

Bro runs on many versions of Linux and Unix. (Unfortunately, the Bro Web site doesn’t specify how well each Linux is supported. In some cases, you may have to do some research and tinkering to get Bro to build on your favorite distribution.)

Features and Benefits:-

* Bro is a network-based IDS.

* Rich Application-Layer Analysis – A primary feature of Bro is that it includes detailed, parser-driven analysis of many popular application protocols.
* Custom Scripting Language – Bro policy scripts are programs written in the Bro language.
* Pre-written Policy Scripts – comes with a rich set of policy scripts designed to detect the most common Internet attacks while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the important attack activity.
* Powerful Signature Matching Facility – Bro policies incorporate a signature matching facility that looks for specific traffic content.
* Network Traffic Analysis- Bro not only looks for signatures, but can also analyze network protocols, connections, transactions, data amounts, and many other network characteristics. It has powerful facilities for storing information about past activity and incorporating it into analyses of new activity.
* Detection Followed by Action – Bro policy scripts can generate output files recording the activity seen on the network (including normal, non-attack activity).
* Snort Compatibility Support - The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro signatures.