Christian Kreibich
ICSI » ICIR » Christian Kreibich » Broccoli
The Bro client communications library


Bro is a policy-controlled, event-based distributed intrusion detection system. Bro nodes can exchange events, policy state, network packets, and other information amongst each other. Broccoli enters the picture when it comes to integrating components that are not Bro instances themselves. Broccoli lets you create applications that can speak the Bro communication protocol. You can compose, send, request, and receive events. You can register your own event handlers. You can talk to other Broccoli applications or Bro agents — Bro agents cannot tell whether they are talking to another Bro or a Broccoli application. Broccoli allows you to integrate applications of your choosing into a distributed policy-controlled event management system.

Broccoli applications will typically do one or more of the following:

  • Configuration/Management Tasks:
    The Broccoli application is used to configure remotely running Bros without the need for a restart.
  • Interfacing other Systems:
    The Broccoli application is used to convert Bro events to other alert/notice formats, for into syslogd entries.
  • Host-based Sensor Feeds into Bro:
    The Broccoli application reports events based on host-based activity generated in kernel space or user space applications.


The manual for the latest release is always available as HTML here and also included in the distribution.


Broccoli has also been used successfully for integrating Apache and sshd with Bro. Other examples include its use as a mediator between Bro and external applications such as database backends.


As of Bro release 1.1, Broccoli is bundled with it. Older releases can be found in my downloads folder. For a detailed list of changes, please consult aux/broccoli/ChangeLog in the Bro distribution.

Related Publications

  • Enriching Network Security Analysis with Time Travel pdf

    G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson and F. Schneider. Proc. ACM SIGCOMM 2008.
  • Policy-controlled Event Management for Distributed Intrusion Detection pdf

    C. Kreibich and R. Sommer. 4th International Workshop on Distributed Event-Based Systems (DEBS'05), 2005, Columbus/Ohio, USA.
updated on 26 July 19 | yummy spam, yesss... built with TT | (cc) Christian Kreibich