Bro Scripting

If you miss an attacker on your network, it’s probably not because you don’t have enough data. It’s more likely that you have too much data.

That’s where Bro comes in.

Bro (recently renamed to Zeek) is the world’s most flexible network security platform, and thousands of organizations use it to reduce network packet streams down to noteworthy events. While Bro’s out-of-the-box capabilities are robust, they merely scratch the surface. Bro isn’t just a tool; it’s a programming language. That means Bro…

  • …is an IDS that can be used to go beyond signature-based matching and detect things that might be missed.
  • …will match complex sequences of events that are benign by themselves, but malicious when occurring together.
  • …can generate statistics for anomaly detection and network-based hunting.
  • …produces evidence useful for enriching and investigating alerts from other tools.

Hands-On Bro Scripting is a foundational course that will help you unlock the flexibility of Bro to make sure you have the right data at the right time. When you take this course, you’ll learn:

  • The fundamentals of Bro scripting with hands-on, real-world scripts being developed along the way.
  • Effective approaches for maximizing your sensor resources.
  • How to effectively filter log data to minimize network bandwidth use
  • Techniques for debugging and analyzing new and existing scripts
  • Best practices for building your own custom bro events.
  • How to leverage Bro’s frameworks: intel, file analysis, input, summary statistics, notice, and conn threshold.

You’ll also develop useful foundational scripts you can use
to guide your detection and analysis. This includes scripts for detecting large HTTP flows, extracting files based on MIME type, determining the ratios of HTTP methods, firing events based on connection thresholds, and protocol filtering scripts.

You can view the full course syllabus here.

Course Format

Hands-On Bro Scripting is delivered entirely online using recorded video lectures that you can go through at your own pace. Each lesson consists of lectures that overview critical concepts, instructor-led demonstrations that walk through Bro examples, and lab exercises when you practice the concepts you’ve learned. There is also a discussion forum where you can ask questions and share tips and tricks with other students and your instructor.


This is a scripting course and assumes some level of programming knowledge. You should have experience with another scripting language (Perl, Python, etc), and a basic understanding of programming concepts.

A basic understanding of Bro is helpful, although not entirely required.

This course is delivered in English.

Hands-On Bro Scripting includes:

  • Over 40 hours of demonstration videos. These videos will break down the concepts and skills you need to become adept at writing actionable Bro scripts.
  • Hands-on labs to help you develop and test your skills. You’ll complete lab exercises by creating scripts to detect and log specific occurrences in PCAPs from real-world scenario.
  • Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
  • 1-year access to course video lectures and lab exercises. You can extend access later if you need more time.
  • A Certification of Completion
  • Continuing Education Credits (CPEs/CEUs)

Meet the Instructor – Aaron Eppert

Aaron Eppert is the Director of Engineering for PacketSled and the principal engineer of PacketSled’s Bro-Based Sensor technology. Over the course of working with Bro, Aaron has committed pull requests to the Bro Open Source Repository, including numerous bug fixes and driving the finalization and inclusion of the SMB Protocol Analyzer. He is an accomplished expert in the Bro Scripting Language, Bro protocol analyzer development as well as a sought-after trainer and mentor of the Bro Ecosystem. Aaron is an expert in low-level programming, optimization and high-speed network filtering with accomplishments spanning twenty years. He is a recognized Industry expert in protocol analysis, reverse engineering, and software engineering and implementation.


Q: Who is this course designed for?
A: Anyone who wants to learn how to use Bro for intrusion detection or security investigations. This course is targeted explicitly at security investigators, NSM analysts, detection engineers, and security tool developers.

Q: How much Bro experience should I have before starting?
A: A basic familiarity with Bro and its default data output is helpful. Understanding the official Bro quickstart document is a great place to start: (

Q: How much programming experience should I have before starting?
A: This is a scripting course and assumes some level of programming knowledge. You should have experience with another scripting language (Perl, Python, etc), and a basic understanding of programming concepts.

Q: Are there any hands-on labs?
A: Yes! Lots of them. You’ll have plenty of opportunities to practice the techniques we discuss. The class is loaded with demonstrations you can follow along with, too! If you run into troubles, you can ask your course peers and the instructor, who is an expert Bro developer.

Student Testimonials

“I like Bro as an open source project and we use it at work. I thought this was an excellent opportunity to learn more about it. I truly enjoyed Aaron’s style of teaching. Since I don’t have too much experience with programming, I liked how Aaron took his time to thoroughly explain concepts and implementing them. I learned that scripting isn’t some dark art. With time, practice, and some guidance, you can build effective scripts that provide you with the information you want.” – Matias Davaro

“We’re heavily investing in Bro and while I had a lot of Bro operational experience, I was looking for solid training on Bro scripting. This is the first Bro programming course I have found that seemed to be extensive enough to be worthwhile. I would highly recommend this course. It provides some of the best training material on Bro scripting I have been able to find. Aaron spent a lot of time discussing the nuances of certain functions, the scripting language, and frameworks. This is information that is often hard to find in official documentation or Google searching. I took a ton of notes on these nuances discussed. The material is extensive. The videos were well done and I built a large library of code examples as a result of this course” – Nick Turley

Join Hands-On Bro Scripting Now for Just $747

Bulk discounts are available for organizations that want to purchase multiple licenses for this Bro/Zeek training course. Please contact us to discuss payment and pricing.