Wednesday, November 19, 2014

Bro Monthly #3

Bro Monthly #3

Welcome to the 3rd Bro Monthly newsletter.
This month we cover the following topics:
  • Bro Meet-ups: a new monthly category for Bro related gatherings and groups,
  • Bro teaching and training,
  • Bro in research,
  • Bro in the wild,
  • Bro-active: current exploits, attacks, and how Bro can help, and other everyday Bro.

Call for news:

If you want to point us on anything that should be in the next monthly just let us know, send mail to or tweet it to @Bro_IDS.

Bro Meet-ups

This new category lists all meet-ups we hear of that are somehow related to Bro. If you send us the information we can list your event here. Just write to


OpenNSM aims to provide a place for network security analysts and those interested in information security with a network security and incident response focus to share tricks, solutions, work on projects, and other knowledge about the subject. We're not aware of any other active NSM user groups in the United States, and have the ambitious goal of being a premier place for students, professionals, and hobbyists, from all over to share their research, tools, and techniques in a laid back and friendly environment. Remote attendance is available. Join the mailing list or Facebook group for meeting info.

They've had 3 presentations from Bro Team members so far and more to come!

More info:

Bro teaching and training


The Isolated, Scalable, & Lightweight Environment for Training is container system for teaching Linux based software with minimal participation and configuration effort. You can use ISLET to teach Bro by installing the BroLive! environment ('make install-brolive-config') after install ISLET.

Bro research


When developing networking systems such as firewalls, routers, andintrusion detection systems, one faces a striking gap between the easewith which one can often describe a desired analysis in high-levelterms, and the tremendous amount of low-level implementation detailsthat one must still grapple with to come to a robust solution. At thisyear's Internet Measurement Conference (IMC) we presented a prototypeof "HILTI", a platform that bridges this divide by providing much ofthe standard low-level functionality, without tying it to any specificanalysis structure.

Beyond pattern matching: a concurrency model for stateful deep packet inspection

On modern multi-core processing platforms, intrusion detection systems need to scale across a large number of processing units--a challenge, as distributing their analysis must not come at the cost of decreased effectiveness in attack detection. At ACM's Conference on Computer and Communications Security (CCS) we presented a novel domain-specific concurrency model that facilities concurrent traffic analysis by partionining input according to fine-granular analysis scopes.

Bro in the wild



SSL continues to produce headaches, last month's hick-up was a protocol mistake in SSLv3. 

To find SSLv3 servers in your Bro logs this line helps you:

cat ssl.log | bro-cut version id.resp_h | grep "^SSLv3" | awk '{print $2}'|  sort | uniq -c | sort -nr

FireEye APT28

Bro Passive DNS tool

Friday, November 7, 2014

Using Bro to Build a Passive DNS Database

Searching DNS logs became a lot faster with the launch of our Passive DNS tool for Bro. It uses Bro's DNS logs to build a database that is more compact, and therefore a lot easier to search.
See how we did it by checking it out on GitHub.