Bro is primarily used as a Deep Packet Inspection (DPI) metadata generator. Metron does not currently utilize the IDS alerts features of Bro. Metron integrates with Bro via a Bro Plug-in, and does not require recompiling of Bro code. The instructions for building and installing the Bro plug-in with Bro can be found here: https://github.com/apache/incubator-metron/blob/master/bro-plugin-kafka/README.md . The Bro plug-in formats Bro output messages into JSON and puts them onto a Kafka topic. The JSON messages outputted by the Bro plug-in are designed to be parsed by the Metron Bro parsing topology.
DPI Metadata is not a replacement for PCAP, but rather a compliment. Extracting DPI Metadata (layer 7 visibility) is expensive, and thus, is performed only on selected protocols. We recommend enabling DPI for HTTP and DNS protocols. Hence, while the PCAP probe records every single packets it sees on the wire, the DPI metadata is extracted only for a subset of these packets.
It should also be noted that while Metron ships with a Bro DPI sensor via a plug-in, Bro is not the only tool for extracting DPI. Qosmos is another popular tool for doing DPI and we plan on supporting it soon.
For related components see: