Welcome! You're looking at the Broccoli manual. Thanks for reading this.
Broccoli is the BRO Client COmmunications LIbrary. It allows you to write applications that speak the communication protocol of the Bro intrusion detection system. In this document, we assume that you are familiar with the basic concepts of Bro. If you need a refresher, please have a look at the original paper, the user manual, and the material on bro-ids.org in general.
Having a single IDS on your network is good, but things become a lot more interesting when you can communicate information among multiple vantage points in your network. Bro agents can communicate with other Bro agents, sending and receiving events and other state information. In the Bro context this is particularly interesting because it means that you can build sophisticated policy-controlled distributed event management systems.
Broccoli enters the picture when it comes to integrating components that are not Bro agents themselves. Broccoli lets you create applications that can speak the Bro communication protocol. You can compose, send, request, and receive events. You can register your own event handlers. You can talk to other Broccoli applications or Bro agents — Bro agents cannot tell whether they are talking to another Bro or a Broccoli application. Broccoli allows you to integrate applications of your choosing into a distributed policy-controlled event management system. Broccoli is intended to be portable: it should build on Linux, the BSDs, Solaris, and Windows (in the MinGW environment).
Unlike other distributed IDSs, Bro does not assume a strict sensor–manager hierarchy in the information flow. Instead, Bro agents can request delivery of arbitrary events from other instances. When an event is triggered in a Bro agent, it checks whether any connected agents have requested notification of this event, and send a copy of the event, including the event arguments. Recall that in Bro, an event handler is essentially a function defined in the Bro language, and an event materializes through invocation of an event handler. Each remote agent can define its own event handlers.
Broccoli applications will typically do one or more of the following:
Configuration/Management Tasks: the Broccoli application is used to configure remotely running Bros without the need for a restart.
Interfacing other Systems: the Broccoli application is used to convert Bro events to other alert/notice formats, for into syslogd entries.
Host-based Sensor Feeds into Bro: the Broccoli application reports events based on host-based activity generated in kernel space or user space applications.