Thursday, November 7, 2013

Bro 2.2

Bro 2.2 has arrived. You can download the source distribution on our download page; binary packages will follow soon. For an overview of the major new features in 2.2, please see the earlier posting on the beta version. Since that beta, we have applied a range of smaller bug fixes and cleanups, improved portability and regression testing, and extended the documentation further. We have also added a few missing pieces to the release notes; see NEWS for the final version.

Thanks to everybody who contributed to Bro 2.2, including in particular those of you who helped us test early versions during development.

The Bro Team

Tuesday, October 1, 2013

NSF Funds Bro Center of Expertise

We have some very exciting news to share today. The National Science Foundation (NSF) has awarded a new three-year grant to our team to establish a Bro Center of Expertise at ICSI and NCSA for supporting the NSF community in deploying Bro. The Center will provide the open-science community with a central point of contact for "all things Bro", and it will develop new Bro capabilities that cater to their settings.

See today's press release for more information about the project.

NSF has been funding much of the work we have been doing over the last few years, and thereby facilitated Bro's transition into a widely deployed operational platform that started with the 2.0 release. The new award enables us to continue and extend that work to the benefit of the Bro community at large. The Center will become the focal point of Bro's open-source development, and we have a rich set of ideas in our pipeline that will push Bro's unique capabilities even further.

We are very grateful to NSF for continuing their support, and we're looking forward to more exciting years ahead.

The Bro Team

Tuesday, September 24, 2013

Bro 2.2 Beta Available

It has been baking for a while, but now fresh out of the oven: we're happy to make a beta version of Bro 2.2 available on the download page for testing.

Bro 2.2 comes with plenty new functionality, including a new file analysis framework for processing the content of files; a framework for transparent, distributed computation of summary statistics; a set of probabilistic data structures; protocol support for GridFTP, Modbus, and DNP3; a number of extensions to the scripting language; and much more. See the NEWS for more, and CHANGES for the exhaustive list. We have also extended the documentation significantly, including a new chapter on writing Bro scripts by Scott Runnels.

For the final Bro 2.2 release, we'll do more testing and also polish the documentation a bit further. Please let us know if you find anything that doesn't work or look right; the tracker is the best way to report any issues you encounter.

The Bro Team

Wednesday, July 24, 2013

Bug Tracker Migration

The Bro bug/issue tracker at has been migrated from Trac to a JIRA instance hosted by Atlassian (you'll notice the former URL now redirects to

A couple new things that JIRA facilitates and may be interesting to try are issue "voting" and "watching."  Like before, issue change notifications are always sent to the bro-dev mailing list, but users may watch specific issues and they'll also get a direct email from the tracker.  Watching may also be useful for quickly finding the issues you're interested in as there's a widget to display watched issues on the dashboard.  Issues can also be voted on, perhaps helping Bro developers better prioritize work according to demand.

The most significant thing users should note is that as part of the import in to JIRA, accounts have been created with the same usernames as were in Trac, however password resets need to be requested before they can be used to log in.  This can be done by selecting the "Unable to access your account?" link from the log in screen to request password reset instructions via email.

Another benefit of the new tracker is that account creation is no longer "by request only," anyone can now create an account themselves.  So if you've ever had an issue with Bro, but been too lazy to request a tracker account in order to file the bug report, give the new tracker a try.

Tuesday, July 9, 2013

Results from our Deployment Survey

Earlier we asked the Bro community to fill out a short survey aimed at better understanding today's state of Bro deployments. We got 103 replies, with the results below. Many thanks to all the sites who responded, this is really helpful for us.

Wednesday, June 26, 2013

Meet Broala, LLC

Today we're delighted to introduce a new venture that we've been preparing in the background for a little while already: the International Computer Science Institute (ICSI) is spinning off a company, Broala, that provides professional Bro services to organizations looking for an alternative beyond what the resources of the non-profit grant-funded Bro team can provide. Founded by core members of the Bro project, Broala offers strategic consulting on Bro installation, deployment, and customization, as well as individualized training and contract development. For more information, please read the full press release, then head over to

We would like to emphasize that the whole Bro team remains fully committed to our core principles that have served us so well for many years. Bro will always remain open-source under the BSD license, and ICSI will keep providing the project with a home; we'll maintain and extend the system just as we have been doing in the past, and we'll stay true to our research roots.  Broala is adding something new on top of what we have, it's not taking anything away from the amazing community that has developed around Bro over the years. Indeed, we aim for Broala's success to help ensure Bro's long-term viability as an open-source project.  With that, please welcome Broala as a new member of the Bro community. We're looking forward to exciting times ahead!

The Bro Team

Tuesday, June 25, 2013

New Research Grant On Security of Industrial Control Systems

We're excited to announce a new research grant on Semantic Security Monitoring for Industrial Control Systems that the National Science Foundation has awarded to a team of researchers at the International Computer Science Institute (ICSI),  the National Center for Supercomputing Applications (NCSA), and the University of Illinois. We plan to eventually integrate the technology developed for this effort into Bro's open-source distribution.

Industrial control systems differ significantly from standard, general-purpose computing environments, and they face quite different security challenges. With physical "air gaps" now the exception, our critical infrastructure has become vulnerable to a broad range of potential attackers. In this project we will develop novel network monitoring approaches that can detect sophisticated semantic attacks: malicious actions that drive a process into an unsafe state without however exhibiting any obvious protocol-level red flags. In one thrust, we will conduct a measurement-centric study of ICS network activity, aimed at developing a deep understanding of operational semantics in terms of actors, workloads, dependencies, and state changes over time. In a second thrust, we will develop domain-specific behavior models that abstract from low-level protocol activity to their semantic meaning according to the current state of the processes under control. Our goal is to integrate these models into operationally viable, real-time network monitoring that reports unexpected deviations as indicators of attacks or malfunction. A separate "Transition to Practice" phase will advance our research results into deployment-ready technology by integrating it into Bro.

Wednesday, June 5, 2013

Announcing Bro Exchange 2013 and Requesting Talks

I’m happy to announce the Bro Exchange for 2013 is a go! Our Bro Exchanges aim
to get a large number Bro users together into the same room to share
experiences and talk about how everyone is using Bro. This time, we’ll also add
in a bit of training similar to past Bro Workshops. We’re a little light on
specifics for the program still, but we’ll do more notifications as we pull it
program together.

The dates are going to be August 6th-8th and we will be back at the awesome
facilities offered by NCSA (National Center for Supercomputing Applications) in
Urbana, Illinois. For more information about what goes on at NCSA, you can
refer to their website:

If we are going to run another successful event this year we’ll need your help.
Submit talks to us if you have something to say. Show how you use Bro and how
it fits into your local processes. Let everyone else in the community benefit
from your experimentation! Send email to us at to submit a talk.
We’re going to set a deadline on June 30th for talk submissions so get them in
quickly and feel free to let us know if you have an idea for a talk but you
aren’t sure if it’s presentable. We’d gladly discuss it with you.

I’m really excited and looking forward to getting together with the Bro
community again this year!

Head over to our Bro Exchange website for more information and the link to our
registration site:

Help Us Demonstrate Bro's Impact: Deployment Survey

[Update: The survey is now closed.]

In 2010, the Bro Team received a grant from the National Science Foundation (NSF) to advance the state of the system, with a particular focus on making Bro more easy to deploy. Much of the work on Bro 2.x has been (and still is) funded out of this grant. We'd like to demonstrate to NSF that their support has made a real difference and have prepared a short survey aimed at better understanding today's state of Bro deployments. If you're running Bro on your organisation's network, please take a few minutes to fill it out (it's anonymous and really short!):

Link to Bro Deployment Survey

Many thanks in advance, a strong response may help us secure future funding to continue the current work.

Monday, May 13, 2013

On Bro's License, Name, and Logo

We are very excited to see all the interest that Bro has been generating recently, with many new deployments across networks of all sizes and people working to interface the system to their environments and hardware. Occasionally, however, we also notice a bit of confusion about Bro's licensing in terms of what exactly it permits and where it imposes constraints. To help clarify that, we have have created a new Licensing section in our FAQ, and a separate page with guidelines for using the Bro marks.

Here's the short version:

  • Bro's source code is, and will remain, open-source under the very permissive BSD license. The license allows for pretty much unrestricted distribution and use. Specifically, you are free to deploy any or all of the code in commercial products. You don't even need to tell us about it if you'd rather not.
  • All documentation and web page content is licensed under a Creative Commons NonCommercial license. This means that you can use, share, and adapt the material as long as you attribute the Bro Project as the source and do not use it for any commercial purposes.
  • Finally, we reserve all rights to the Bro name and logo. In many cases it will be fine for you to use our marks but we ask for a chance to review your case. In particular, we consider it important that we avoid any confusion on what the name "Bro" refers to. We have a simple rule of thumb for that: if it's called "Bro", it must be our "Bro" as found on You are free to derive your own versions from our code base, but you can't call it "Bro" unless we have signed off on your use. We believe that this is a fair constraint in the interest of Bro's users, and indeed not unusual in the open-source world.

See the above links for more information and feel free to contact us for further questions.

Thursday, March 7, 2013 — A New Home for Bro

We are very excited to announce that as of today all Bro-related services have found a new home under the domain. We've moved most services over from already, and the remaining pieces should fall in place over the next couple of days. Generally, things should just keep working, with the old names redirecting to the new ones transparently. You may however need to adjust your email filters if you're subscribed to any of our mailing lists.

This move reflects a change in perspective that has been shaping up for a while already. The problem is that what most people associate with the term "IDS" doesn't actually fit Bro very well. Bro's capabilities go beyond what traditional "IDS" provide, and its real strengths lie in areas where there's not much else out there to compare it with. Indeed, Bro can do much more than "just intrusion detection". Many of our users are deploying it in a range of very different settings for gaining insight into their networks independent of any security concerns. In this sense, we've been playing down the "IDS" angle for a while already, and the new domain makes that explicit. On top of that, a three-letter domain is of course much cooler anyways.

This change was made possible by a generous donation from Liam Randall to the International Computer Science Institute. The donation allowed us to aquire the domain from its previous owner. We are extremely grateful for Liam's support, many thanks to him from the whole Bro Team!

Friday, February 22, 2013

Watching for the APT1 Intelligence

Earlier this week, Mandiant released their APT1 report which I’m not going to bother providing any analysis or commentary on, there has been plenty of that this week. As a developer on a network analysis tool my interest primarily lies with consuming the intelligence data they provided and seeing how I can use it.

Vern Paxson, the original author of Bro, asked me yesterday morning if I had a simple example of a Bro script that he could use for a talk today. Bro’s current lead developer Robin Sommer, suggested that we could show something related to the APT1 report. That’s when it occurred to me that doing so would actually result in a fairly simple and self contained script so I set off to write it.

Several hours later, interspersed with a few phone calls and lots of instant messaging, I had the script done and documented. Here’s where you can find the script module now: APT1 repository on github

There are a few key points about the script that I wanted to take a moment to highlight.

  1. The entire script really boils down to three ‘if’ statements. One for each of the types of data that Mandiant distributed (certificates, file hashes, and domain names).
  2. Mandiant didn’t actually distribute hashes for the certificates so we had to get a little creative. We took the certificate subject and serial number together to find matches because after searching through the data store for our certificate notary project we discovered that there are legitimate certificates using some of the certificate subjects.
  3. Domain names are only being searched for in DNS queries. This is certainly suboptimal but it’s a first step.
  4. MD5 hashes are only being checked for files transferred over HTTP and only for Windows executables by default. The README included with the bro-apt1 repository includes instructions for expanding that to more files.

This was an interesting experiment for me because it opened my eyes a little bit to a potential use for the upcoming revamp of Bro’s Intelligence Framework. The work on the Intelligence Framework is mostly done already and only has relatively small tuning remaining. If I had used the Intelligence Framework for this script, the domain names would have been searched for in many, many places automatically and not just DNS queries (the next obvious step would be HTTP Host headers). Data loading and distribution would have been abstracted much better, the data would have loaded at runtime and not been encoded in a Bro script which is certainly workable but suboptimal. The result would have been even less code and greater use of the data. Those two features in combination are very attractive to me for obvious reasons!

The script ended up being quite nice for about a combined hour of effort but it’s a very naive implementation compared to what we’re working toward. My only question now is if it ended up being too simple of an example for what Vern wanted.

The script module is fully self-contained and very easy to run. I hope that no one has any hits!

Tuesday, January 22, 2013

Bro Summer Internship Available

The Bro Project has an opening for a three month summer internship. If you are interested in helping us improve Bro and develop new functionality, please apply!

See here for more information.

Friday, January 4, 2013

Searching the ICSI Notary for Rogue Turktrust Intermediate Certificates

Turktrust, a Certificate Authority (CA) that is trusted by all major browsers and systems accidentally issued intermediate CA certificates instead of end-host certificates to two of its clients. Both of these intermediates were valid and signed by the Turktrust root, and hence they could be used to sign certificates for any site on the Internet. Having access to an intermediate CA certificate also makes it possible to mount difficult to detect man-in-the-middle attacks on SSL connections.

According to Turktrust, both of the certificates were created on the 8th of August, 2011.

At least one of the certificates was used to create a rogue * certificate that was used for a man-in-the-middle attack. Google became aware of the certificate because Chrome detected it, blocked the access and sent a report back to Google.

We examined the data of the ICSI Certificate Notary: since the start of our data collection effort in February no user at any of the sites we monitor did encounter either of the two intermediate certificates. That's good news and suggests that the intermediate certificates were indeed not used in a wide-scale attack, but only on a local gateway interface like stated by Turktrust.

Updates to distrust the rogue intermediate CA certificates have been pushed by all major Browser and Operating System vendors.