This is release 0.9 of Bro, a system for detecting network intruders in
real-time using passive network monitoring.  

Installation instructions can be found at:
http://www.bro-ids.org/Bro-quick-start/Installation-and-Configuration.html

PDF and HTML versions of the manuals are also available in the 
doc/ directory.  Please note that this
documentation is preliminary and still missing pieces.

A paper describing the system is also available in doc/pubs/.  An earlier version
appeared in the Proceedings of the USENIX Security Symposium, January 1998.
This version appears in Computer Networks 31(23-24), Dec. 1999.  There's
also in doc/misc/conn-logs/ a brief summary of the connection logs generated by
the sample policy scripts (which are in policy/).

This is a beta release.

Bro uses libpcap, and assumes that you've already installed it.  If not,
you can get it from www.tcpdump.org.

Bro needs flex, available from
	ftp://ftp.ee.lbl.gov/flex-2.5.4.tar.Z

Flex is already installed on most systems, so with luck you can skip
having to install it yourself.

Bro needs bison or byacc.  These come with many systems, but if you get
errors compiling parse.y, you will need to install them.  bison is available
from GNU sites such as ftp.gnu.org.

Bro requires BIND8 headers and libraries.

To build:

	./configure
	make
	make install

To start bro:
	/usr/local/bro/etc/bro.rc start

To run from a previously captured tcpdump save file named foo:

	bro -r foo mt

"mt" directs bro to the policy script policy/mt.bro, which loads many
(not all) of the other policy scripts.


To run from interface le0 using tcpdump filter XYZ:

	bro -f "XYZ" -i le0 mt

or in your policy script add

	redef interfaces = "le0";

Without -f, you can see the filter Bro will use by executing

	bro mt print-filter


To run interactively (e.g., for playing with expression evaluation):

	bro

"bro -h" lists the various options.

Some auxiliary scripts and utilities are available in the aux/ directory.

The source code is covered by a BSD-style copyright notice.  I ask, however,
that you not redistribute any release without asking me first.

Send comments, etc., to vern@ee.lbl.gov.

Vern Paxson

Lawrence Berkeley National Laboratory
University of California, Berkeley  USA

ICSI Center for Internet Research (ICIR)
International Computer Science Institute
Berkeley, CA  USA
vern@icir.org
