Introduction
Bro is a policy-controlled, event-based
distributed intrusion detection system. Bro nodes can exchange events, policy
state, network packets, and other information amongst each other.
Broccoli enters the picture when it comes to integrating components that are not
Bro instances themselves. Broccoli lets you create applications that can speak the Bro
communication protocol. You can compose, send, request, and receive events.
You can register your own event handlers. You can talk to other Broccoli
applications or Bro agents — Bro agents cannot tell whether they are talking
to another Bro or a Broccoli application. Broccoli allows you to integrate applications
of your choosing into a distributed policy-controlled event management system.
Broccoli applications will typically do one or more of the following:
-
Configuration/Management Tasks:
The Broccoli application
is used to configure remotely running Bros without the need for a restart.
-
Interfacing other Systems:
The Broccoli application
is used to convert Bro events to other alert/notice formats, for into
syslogd entries.
-
Host-based Sensor Feeds into Bro:
The Broccoli
application reports events based on host-based activity generated in
kernel space or user space applications.
Manual
The manual for the latest release is always available as HTML
here and also included in the
distribution.
Applications
Broccoli has also been used successfully for integrating Apache and sshd with Bro.
Other examples include its use as a mediator between Bro and external
applications such as database backends.
Availability
As of Bro release 1.1, Broccoli is bundled with it. Older releases can be found
in my downloads folder.
For a detailed list of changes, please consult aux/broccoli/ChangeLog in the
Bro distribution.
Related Publications
