Skip to content
This repository has been archived by the owner on Jan 21, 2023. It is now read-only.


Repository files navigation


Bro IDS Dockerfile (also see 🆕 blacktop/docker-zeek)

CircleCI License Docker Stars Docker Pulls Docker Image

This repository contains a Dockerfile of Bro-IDS blacktop/bro.

Table of Contents


Image Tags

$ docker images

REPOSITORY          TAG           SIZE
blacktop/bro        latest        22.2MB
blacktop/bro        2.5           22.2MB
blacktop/bro        pkg           107MB
blacktop/bro        elastic       67.4MB
blacktop/bro        redis         60.1MB
blacktop/bro        geoip         55.97MB
blacktop/bro        kafka         30.6MB
blacktop/bro        2.4.1         16.68MB
blacktop/bro        2.4           16.68MB


  • tag pkg is the same as tag 2.5, but includes the Bro Package Manager
  • tag elastic is the same as tag 2.5, but includes the elasticsearch plugin and the GeoIP database
  • tag redis is the same as tag 2.5, but includes the redis plugin and the GeoIP database
  • tag geoip is the same as tag 2.5, but includes the GeoIP database
  • tag kafka is the same as tag 2.5, but includes the kafka plugin
  • all tags include the af_packet plugin


  1. Install Docker.
  2. Download trusted build from public Docker Registry: docker pull blacktop/bro

Getting Started

$ wget
$ wget
$ docker run --rm \
         -v `pwd`:/pcap \
         -v `pwd`/local.bro:/usr/local/share/bro/site/local.bro \  # All default modules loaded
         blacktop/bro -r heartbleed.pcap local "Site::local_nets += { }"
$ ls -l

-rw-r--r--  1 blacktop  staff   635B Jul 30 12:11 conn.log
-rw-r--r--  1 blacktop  staff   754B Jul 30 12:11 files.log
-rw-r--r--  1 blacktop  staff   384B Jul 30 12:11 known_certs.log
-rw-r--r--  1 blacktop  staff   239B Jul 30 12:11 known_hosts.log
-rw-r--r--  1 blacktop  staff   271B Jul 30 12:11 known_services.log
-rw-r--r--  1 blacktop  staff    17K Jul 30 12:11 loaded_scripts.log
-rw-r--r--  1 blacktop  staff   1.9K Jul 30 12:11 notice.log <====== NOTICE
-rw-r--r--  1 blacktop  staff   253B Jul 30 12:11 packet_filter.log
-rw-r--r--  1 blacktop  staff   1.2K Jul 30 12:11 ssl.log
-rw-r--r--  1 blacktop  staff   901B Jul 30 12:11 x509.log
$ cat notice.log | awk '{ print $11 }' | tail -n4




Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.


Alpine conversion heavily (if not entirely) influenced by




See all contributors on GitHub.

Please update the and submit a Pull Request on GitHub.


MIT Copyright (c) 2015-2018 blacktop