Friday, October 20, 2006

Bro-IDS v1.2

For people who doesn't notice, Bro-IDS v1.2 is released, the major improvement should be the dynamic protocol detection, I can't really comment about it yet since I'm not getting into it yet. Other than that, there are lots of features and bugfixes been done in this latest version and you can find the changelogs here. If you want to know more about dynamic protocol detection, you can check this out.

Since I have Bro-IDS v1.1 running, surprisingly upgrading to version 1.2 can be done in a glance, just untar 1.2 source once you download it, and run the common steps - configure -> gmake && gmake install and you are done. I have no problem at all upgrading it to 1.2 on my FreeBSD box.

We all know Bro-IDS is not as popular as snort, however it is one of obvious alternative if you want to deploy network IDS since not many Open Source NIDS projects survive long enough as lots of efforts needed to produce solid NIDS.

Prelude is long gone for its NIDS feature, it is now more of SIM instead.

To Bro-IDS development team, you guys just rox!

Cheers :]

3 comments:

Anonymous said...

At the moment Snort is the *only* NIDS that works with Prelude. although Snort is quite a good NIDS, it still will be nice to have the possibility to use Bro with Prelude.

Hopefully they will include this feature soon...

gpl_worm said...

right, and you should accent that it is under BSD license.

Anonymous said...

Sorry if this has been addressed before. I heard about Bro and it caught my interest.


1. How easy is it to deploy compared to Snort?
2. What would be the learning curve for someone to build/deploy/configure/tune BRO who has built/deployed/configured/tuned Snort?
3. Does it easily accept all of the existing Snort signatures?
4. What is the recommended hardware for a sensor sniffing 200 MB of traffic? 1-2 gig of traffic on a 1 gig switch uplink span port?
5. Is the proprietary Bro language difficult to master in order to create new scripts?
6. What would be a good compliment to the Bro IDS (a primary commercial IDS that works well with Bro)?
7. Does it fair well in a large environment or is it meant for smaller networks?