Wednesday, November 30, 2011

Bro Language Cheat Sheet

You asked for it, we created it. The Bro language cheat sheet is now available from our community presence at github: This document describes the scripting language on a single page, and also provides a solid reference of the most important built-in functions. Print it and place it next to your cup of coffee, as you are now equipped to write the next APT detector in Bro.

We provide the source code of the cheat sheet, which comes with a Creative Attribution-NonCommercial-ShareAlike license. This means you can adapt and redistribute it for non-commercial purposes as long as the attribution remains intact. If you feel that the document could be improved, we encourage you to use the proven github model of forking, udpating, and creating a pull request.

To whet your appetite, check out the two screen shots of the first two pages below. Enjoy!

Main page

Main page

Wednesday, November 16, 2011

Bro Workshop 2011 is Sadly Over

Last week we held our first workshop since the full team came together for the NSF grant and I felt like the workshop went very well. It was by far the largest workshop in terms of attendance, I think we had over 55 people in the room most of the time!

Personally, it was great to get a chance to put so many faces to names. I've communicated with many people but had the chance to meet far too few. In particular I was excited to see the growing interest in Bro from the incident response community. We've really pushed Bro with the 2.0 release to be well tuned and relevant for security operations straight "out of the box". Now I'm looking forward to learning and helping with new deployments in 2012 and more questions about networks that we could help answer with Bro.

Speaking of answering questions about networks, there was a particularly interesting occurrence on the second day. The entire day seemed to revolve around the idea of asking questions about networks and getting real answers. Everything revolved around this; the exercises, the presentations, even the invited talks given by incident responders. I've been pushing for this as part of the approach to Bro for a long time since Bro is a great tool for answering questions so I'm really happy to see others using Bro in a similar way. Now that the 2.0-beta is released and 2.0-final is approaching, I will begin posting snippets and full scripts soon that help you answer questions about your own networks. There are so many questions, and so little time.

I would really like to thank everyone who listened to my pleading to attend the workshop and those whom I didn't even need to plead with. You all added to my experience of the workshop and opened my eyes to new ways of thinking about how Bro can and should be used. I hope you got as much from the workshop as I did.

Finally, I wanted to mention that all of the material from the workshop (video, exercises, slides) will be released very soon and we will be sure to do another quick blog post when it's available.

That's enough writing, now back to coding and documentation...