The Bro ingest data source is a custom Bro plug-in that pushes DPI (deep packet inspection) metadata into Cloudera Cybersecurity Platform (CCP).
Bro is primarily used as a DPI metadata generator. CCP does not currently use the IDS alert features of Bro. CCP integrates with Bro by way of a Bro plug-in, and does not require recompiling of Bro code.
The Bro plug-in formats Bro output messages into JSON and puts them into a Kafka topic. The JSON message output by the Bro plug-in is parsed by the CCP Bro parsing topology.
DPI metadata is not a replacement for packet capture (pcap), but rather a complement. Extracting DPI metadata (API Layer 7 visibility) is expensive, and therefore is performed on only selected protocols. You should enable DPI for HTTP and DNS protocols so that, while the pcap probe records every single packets it sees on the wire, the DPI metadata is extracted only for a subset of these packets.