Why I think you should try Bro
Last weekend I attended a presentation by Liam Randall (@hectaman) on the Bro networking language. It helped break though many of the assumptions I had about it and encouraged me to take a second look at using it the lab. His talk is available on you-tube and slides are available here: http://www.appliednsm.com/shmoocon-2013-bro-slides-and-video/
"I have snort, why do I need another IDS?"
That pretty much summed up my thoughts about BRO. Liam described most people's NSM stack as: tcpdump for capture, wireshark for analysis, argus for flow data, snort for alert data, and python to script interactions. When he siad that BRO could replace each of these tools I was a mix of incredulous and intrigued. The key point that helped me understand was the explanation that Bro is a domain-specific language for networking applications and that Bro-IDS (http://bro-ids.org/) is an application written with Bro.
So, what else does it do?
Basically Bro generates Events from traffic, and these Events drive Actions or generate Structure Output. If you've ever had a need to script something quickly to process the output of tcpdump, you'll see the appeal of Bro that dumps traffic out in an orderly fashion that's very UNIX command-line friendly.
Using something like Liam's fire-scripts (https://github.com/LiamRandall/bro-scripts/tree/master/fire-scripts) you can explore how protocols are being implemented on your network. While wireshark does an outstanding job of coloring protocols and identifying flows, Bro scripts do a better job of identifying the order of events and counts of events in a session (helpful for looking bots that are pretending to be Internet Explorer or SSL/TLS shenanigans.)
Bro can be scripted to extract every executable that flies by on the wire. While this can be done with a few key-clicks in wireshark or batched by using tcpflow, Bro allows you to make it part of the analysis process which you can then kick off other static analysis or additional alerts.
How do I get started?
The shortest path to playing with Bro is via Security-Onion: http://code.google.com/p/security-onion/ It's an .iso that you can either boot-up with or build a VM from.
What are you using Bro for?
While Googling around to verify the links for this entry, I see a lot of interesting SSL/TLS projects and APT1-related modules and scripts. For those of you who are using Bro in your processes, leave a comment below.
Comments
James
Feb 25th 2013
1 decade ago
The issue has not been addressed directly as it will become irrelevant with a planned update to the cluster framework. I have also opened a ticket to document the issue: http://tracker.bro-ids.org/bro/ticket/949
Give me a few minutes and I will add instructions for changing from cluster mode to standalone mode.
Liam Randall
Feb 25th 2013
1 decade ago
LV
Feb 25th 2013
1 decade ago
What's the best source for finding useful Bro scripts/modules out there?
eugenius
Feb 25th 2013
1 decade ago
https://code.google.com/p/enterprise-log-search-and-archive/
It's included in Security Onion, so you can have both Bro and ELSA up and running in about 10 minutes.
Doug
Doug Burks
Feb 25th 2013
1 decade ago
http://eyeis.net/2012/04/splunking-the-onion/
http://splunk-base.splunk.com/apps/45784/security-onion
Eugenius: on github you can search by source language. I think Bro is #78!! (of 89.. but trending up :) I am trying to blog a lot of the interesting things you can do in Bro over the next few weeks.
Liam Randall
Feb 26th 2013
1 decade ago