Abstract
We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder\'s traffic transits. We give an overview of the system\'s design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an \"event engine\" that reduces a kernelfiltered network traffic stream into a series of higherlevel events, and a \"policy script interpreter\" that interprets event handlers written in a specialized language used to express a site\'s security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog. We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the four applications integrated into it so far: Finger, FTP, Portmapper and Telnet. The system is publicly available in source code form.