Why I think you should try Bro

Published: 2013-02-25. Last Updated: 2013-02-25 00:40:42 UTC
by Kevin Liston (Version: 1)
6 comment(s)

Last weekend I attended a presentation by Liam Randall (@hectaman) on the Bro networking language.  It helped break though many of the assumptions I had about it and encouraged me to take a second look at using it the lab.  His talk is available on you-tube and slides are available here: http://www.appliednsm.com/shmoocon-2013-bro-slides-and-video/

"I have snort, why do I need another IDS?"

That pretty much summed up my thoughts about BRO.  Liam described most people's NSM stack as: tcpdump for capture, wireshark for analysis, argus for flow data, snort for alert data, and python to script interactions.  When he siad that BRO could replace each of these tools I was a mix of incredulous and intrigued. The key point that helped me understand was the explanation that Bro is a domain-specific language for networking applications and that Bro-IDS (http://bro-ids.org/) is an application written with Bro.

So, what else does it do?

Basically Bro generates Events from traffic, and these Events drive Actions or generate Structure Output.  If you've ever had a need to script something quickly to process the output of tcpdump, you'll see the appeal of Bro that dumps traffic out in an orderly fashion that's very UNIX command-line friendly.

Using something like Liam's fire-scripts (https://github.com/LiamRandall/bro-scripts/tree/master/fire-scripts) you can explore how protocols are being implemented on your network.  While wireshark does an outstanding job of coloring protocols and identifying flows, Bro scripts do a better job of identifying the order of events and counts of events in a session (helpful for looking bots that are pretending to be Internet Explorer or SSL/TLS shenanigans.)

Bro can be scripted to extract every executable that flies by on the wire. While this can be done with a few key-clicks in wireshark or batched by using tcpflow, Bro allows you to make it part of the analysis process which you can then kick off other static analysis or additional alerts.

How do I get started?

The shortest path to playing with Bro is via Security-Onion: http://code.google.com/p/security-onion/  It's an .iso that you can either boot-up with or build a VM from.

What are you using Bro for?

While Googling around to verify the links for this entry, I see a lot of interesting SSL/TLS projects and APT1-related modules and scripts.  For those of you who are using Bro in your processes, leave a comment below.

Keywords: bro
6 comment(s)

Comments

In my tests, Bro-IDS maxed out my CPU in a link with no traffic. I've tried several times to contact the devs via email and tweets and got no response...less then impressive so far.
TLDR on this issue is Bro has a really tight polling loop and is designed to handle high traffic situations. Feed it some traffic and the load will fall dramatically. In the short term, you can change bro from cluster configuration to standalone mode to reduce the load on sensors that do not see traffic (testing VMs, etc.).

The issue has not been addressed directly as it will become irrelevant with a planned update to the cluster framework. I have also opened a ticket to document the issue: http://tracker.bro-ids.org/bro/ticket/949

Give me a few minutes and I will add instructions for changing from cluster mode to standalone mode.
More tools need to read/parse Bro's output IMO. Where is the "Base" equiv for Bro? Plus I know our SIEM vendor has yet to catch up on all the 2.X changes (their Bro support is only for 1.1 & 1.3).
Check out Brownian (http://brownian.bro-ids.org/) for a web-based query interface.

What's the best source for finding useful Bro scripts/modules out there?
LV, in addition to Brownian, also take a look at ELSA:
https://code.google.com/p/enterprise-log-search-and-archive/

It's included in Security Onion, so you can have both Bro and ELSA up and running in about 10 minutes.

Doug
Also, if you're using SecurityOnion as your platform don't forget to check out Brad Shoop Spluk plugin:

http://eyeis.net/2012/04/splunking-the-onion/
http://splunk-base.splunk.com/apps/45784/security-onion

Eugenius: on github you can search by source language. I think Bro is #78!! (of 89.. but trending up :) I am trying to blog a lot of the interesting things you can do in Bro over the next few weeks.

Diary Archives