This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Skip to end of metadata
Go to start of metadata

 

Bro is primarily used as a Deep Packet Inspection (DPI) metadata generator.  Metron does not currently utilize the IDS alerts features of Bro.  Metron integrates with Bro via a Bro Plug-in, and does not require recompiling of Bro code.  The instructions for building and installing the Bro plug-in with Bro can be found here: https://github.com/apache/incubator-metron/blob/master/bro-plugin-kafka/README.md .  The Bro plug-in formats Bro output messages into JSON and puts them onto a Kafka topic.  The JSON messages outputted by the Bro plug-in are designed to be parsed by the Metron Bro parsing topology.

DPI Metadata is not a replacement for PCAP, but rather a compliment.  Extracting DPI Metadata (layer 7 visibility) is expensive, and thus, is performed only on selected protocols.  We recommend enabling DPI for HTTP and DNS protocols.  Hence, while the PCAP probe records every single packets it sees on the wire, the DPI metadata is extracted only for a subset of these packets.

It should also be noted that while Metron ships with a Bro DPI sensor via a plug-in, Bro is not the only tool for extracting DPI.  Qosmos is another popular tool for doing DPI and we plan on supporting it soon. 

For related components see:

Parsing Topology

  • No labels