The following points are by no means meant as criticism against Bro. I have personally found Bro to be an excellent (perhaps even the best) tool for the various environments that I have used it in for monitoring network traffic. Bro has many advantages over other intrusion detection tools, and I leave it to its author and its other contributors to continue making these things better and focusing on aspects of the actual software, since they are the areas of facility that make Bro the excellent tool it is. The BRA project is simply a set of additions that I have found can compliment the running ot Bro, and I hope that it will be useful to others. It is with this in mind that I have finally (after many years of using these tools myself) released the scripts I have made for using Bro. This is an alpha relase of the environment. There is no implied warrantee of usability or merchantability of any kind. Everything is provided 'AS-IS' under the GNU Public License. I do want to improve these tools, so I would be very grateful if feedback is provided to me. You can contact me via email with this mailto or via standard email at: Chris.Manders AT UnixHelpDesk.COM.
BRA tries to address the following problems with the initial setup of Bro and
its environment:
1) The initial configuration of an environment in which Bro is to run is lacking from both the source and documentation. By this, I mean that while aspects of the documentation do include the different environmental variables needed to run Bro, there are no real working examples to use to help in setting up one's own environment without lengthy experimentation. An example would be the tcpdump filter providable using 'bro -f'.
2) A method of invoking Bro in a manner that will not, by default, overwrite the log files it creates is not included. Again, examples are the main things that are missing.
3) All of the scripts that are used by the few working Bro environments I have encountered used a variety of scripts that need to be 'massaged' and 'tweeked' for each individual environment.
4) The method by which Bro can safely be restarted without loss of network data is not extensively covered. Again, no examples mean there are few consistent environments running Bro.
5) Since all of the Bro environments I have seen differ there are very few ways to create tools that can be used across all of the implementations.
The main features of BRA:
1) The BRA environment encapsulates and provides wrapper functions for running Bro.
2) All of the scripts are written in PERL for consistency.
3) All of the scripts use one single configuration file (~/etc/config.cf).
4) All of the scripts are meant to be small and take up little disk space, memory and cpu.
5) Provide a means to 'checkpoint' or 'restart' a Bro instantiation without loss of network traffic analysis.
6) Provide a default set of reports that are sent to those using Bro (coming in next release).
7) Help organize the log files for later use.