BRO-IDS is designed to achieve high-speed monitoring, real-time notification and extensible IDS. By monitoring the high-speed network and large volume data flows, Bro-IDS do not tolerate to drops any packet from filter. Notifications have to be issue as fast as possible when it detects the attempted attacks. To makes the system grows stronger and customizable, extensible and the ease of extend is important. The policies are written in Bro language which is extensible and flexible. One important thing, Bro-IDS do assume the monitor will be attacked. Bro-IDS do assume the attackers familiar of Bro-IDS's system structure and design, again it must be able to get ready for the attacks, which it makes the design of IDS much challenging.
The structure of Bro-IDS system can be divided into few blocks. From bottom to top, Bro-IDS is divided into Network, libpcap ( which it does packet filtering ), Event engine and policy script interpreter. libpcap is a well known packet filtering libraries used by tcpdump, it allows you to downloads a copy packets directly from the kernel to user level. The packets will be filtered where it only downloads certain packets to user level, the rest of the unwanted packets will be ignore. By doing this, it reduce workload of downloading process to the user level, and consequently improves the speed of accessing packets and reduce the possibility of packets drops.
Packets filtered by Bro-IDS is based on ports, certain bits in IP or TCP headers. For examples, 13th bit of TCP header will indicate whether it is set with SYN, FIN, RST or nothing. This information is important to keep the status of TCP connections states. Full details packets will be captured and forward to the next layer instead of default tcpdump snapshot length 68 bytes.
The filtered packets stream will be forwarded to the next layer - Event engine. First two things event engine will do before generating events for policy checking are packet header verification and IP fragment reassembling. Verification has to be done on packets header including IP header checksum. Event will be generated and packets will be discarded if the packet does not pass the checking. IP fragments will be combined into complete IP datagram so that it can be analyze easily. For basic tcp packets, four events can be generated, they are connection_attempt, connection_established and connection_rejected and connection_finished. For UDP, it is udp_request and udp_reply. The packets that lead to generate these events, its header will be stored for further analysis. Besides that, full packets will passed to corresponding handle for further analysis.
Policy script interpreter is the core of Bro-IDS, which it contains various event handlers. They will checks for events passed to them, based on the events, they will with generating new events, logging real-time notifications, recording date to disk or modifying internal state.This part can be very complex, which I need to have further study on the reference documents. All policies was written in its own bro language and it allows user to customized and extend the policies.
This summary is to show the basic architecture of Bro-IDS system only, the paper have covers more than that. The paper further introduces the Bro language, implementation issues, illustrate the possible attacks on monitor and what is the counter attack of Bro-IDS towards these attacks etc. I would like to suggest you to read the paper for further understanding and all comments are welcome. My initial diagram consist of more details info, and the current diagram had be simplified due to my shortcomming of generating it.