There's no better way to see what's on your network.

Corelight Sensors extract over 400 data elements from network traffic in real time, with open-source Bro - using a format that was chosen by incident responders, for incident responders. When your team can work faster, the network is safer.

Download Bro Logs: a selection

How people use Bro.

Bro’s exceptional data and flexible scripting language have inspired security and operations teams around the world to find creative applications for the open-source platform. Here are just a few examples:

Threat hunting

Assessing the scope of a malware attack

Pivot off a malware hash in Bro’s files.log to immediately see all other hosts in an environment that have downloaded the malicious file and then prioritize additional incident response work such as agent deployment.


Locating PCAP files for an investigation

Use Bro’s network logs and timestamps to quickly locate the relevant portions of PCAP files needed to verify conclusions.

Verifying containment and remediation

Use Bro’s network logs for conducting post-breach monitoring to look for the recurrence of malware beaconing.

Improving defensibility

Use Bro’s continuous logging across protocols to establish the "ground truth" of what happened historically, minimizing both legal expenses and the scope of disclosure.

Threat detection

Detecting hidden C2 server communications

Uncover live C2 communications via Bro’s dpd.log when an attacker attempts to disguise their C2 traffic in a purported SSL connection.

close dpd-bro-log

Lateral movement detection

Stream Bro logs to the Real Intelligence Threat Analytics (RITA) tool, to create a daily report of potential beaconing activity for investigation by threat hunters.

Detecting off-port protocol usage

Use Bro’s deep protocol parsing capabilities to identify network services, such as HTTP or DNS, running on non-standard ports.

Fingerprinting connections for fraud detection

Create custom Bro logs to fingerprint connections and identify issues like API fraud and account takeovers.

Investigating unauthorized SMB file access

Use Bro’s SMB logs as a source of evidence to document end user access to a sensitive SMB file share without authorization.

Data enrichment

Enhancing DNS visibility

Use Bro’s dns.log—which contains both queries and responses—to access forensic information server logs can’t provide, due to a lack of detail.


Identifying vulnerable software

Use Bro’s software.log to identify outdated or vulnerable software, such as Java or Flash, running in an environment.


Flagging Cyrillic keyboard usage

Monitor Bro’s rdp.log to identify the use of Russian character set keyboards in an environment, which could signal unusual behavior.


Verifying that sensitive connections use strong encryption

Verify via Bro’s ssl.log that all TLS sessions for sensitive connections use appropriately strong ciphers, and prompt security ops staff to take remedial action if less secure ciphers are detected.


Network operations

Creating inventories of connected devices

Inventory network-connected devices and their services without needing to install host agents, and use Bro’s software.log to monitor BYO software used by employees.

Monitoring risky SSL certificates

Monitor self-signed and expired, or soon-to-expire, certificates via Bro’s ssl.log.

Troubleshooting a load balancer issue

Diagnose a load balancer performance problem that is difficult or impossible to replicate in a lab environment via evidence gathered from Bro’s network logs and end finger pointing between security and network operations teams.