Tutorials to follow along. Teach yourself to Bro. On this page we list tutorials and how-tos, interactive and the type to lean back and read or watch. This page is new and will develop and grow. Please check back occasionally to see updates.
Interactive tutorials based on try.bro.org. This new tool allows you to follow guided exercises and tutorials that you can try out directly while reading.
The tutorials are divided into different topics covering aspects and use cases of Bro. You can navigate through the exercises by clicking next or back on the bottom of each page. Every lesson comes with a small code example that you can play with, and there are some exercises, too. Each exercise is followed by a solution with an explanation.
Try.Bro is interactive, you can always click the Run button and then view Bro’s console output in the Stdout section and Bro’s log files under Output Logs.
Most of the topics in the first chapter don’t require a traffic sample, so you can concentrate on learning Bro first. Some training examples and later chapters come with one or more traffic samples in pcap format which the script is run on. To make things faster you can select no pcap file, but be aware that some results will be different, or not present at all, in this case. The button “choose file” allows you to upload your own traffic sample or you simply try out every piece of code with some of the given traffic samples.
The different example scripts demonstrate different aspects of Bro. They are meant as a starting point for your journey learning Bro. You can edit each example and run it again.
In this tutorial we assume that you already “speak” another programming or scripting language and are familiar with basic terminology, e.g., what a variable is.
Start the interactive tutorial, or jump directly to a topic in the following list.