Tuesday, November 29, 2016

Donate to The Bro Project

Bro Community,

As 2016 comes to a close, please consider adding The Bro Project to your list of charitable donations. We are managed by Software Freedom Conservancy, which is a 501(c)(3) organization and therefore exempt from US taxes.

To donate via credit card, click on the "Donate" button below, or go our site for more payment options:

If your commercial organization is considering sponsoring the Bro Project, you can find more information about it on our sponsorship page.

Thank you. And have a happy new year.

The Bro Project

Monday, November 28, 2016

New additions to the Bro Leadership Team

Last year when we announced The Bro Project had joined Software Freedom Conservancy we also announced the formation of Bro Leadership Team. The team consists of key contributors and community representatives working with SFC to set the direction of the project.

The Team has recently added two more members to the group: Johanna Amann and Martin van Hensbergen. As you may know, Johanna is a Bro developer and works on ICSI SSL Notary Service. Martin is a Threat and Malware analyst and the creator of the Bro (RFB)VNC parser.

Welcome Johanna and Martin, thank you for your contributions to the Bro Project!

The complete Leadership Team is now:
  • Johanna Amann, International Computer Science Institute 
  • Seth Hall, International Computer Science Institute
  • Keith Lehigh, Indiana University 
  • Vern Paxson, University of California at Berkeley
  • Michal Purzynski, Mozilla Foundation
  • Aashish Sharma, Lawrence Berkeley Lab 
  • Adam Slagell, National Center for Supercomputing Applications 
  • Robin Sommer, International Computer Science Institute
  • Martin van Hensbergen, Fox-IT

Monday, November 21, 2016

Bro4Pros 2017: February 2nd in San Francisco

Mark your calendars! Bro4Pros 2017 will be on Thursday, February 2nd in San Francisco, CA at Salesforce's Spear St. office (map).

Bro4Pros is a one-day workshop for advanced Bro users (i.e., those who use Bro on a daily basis, feel comfortable customizing its configuration, and have written scripts on their own).

This is a joined community effort and get-together, and the program will depend to a large degree on what people want to talk about. Attendance is limited to ensure an interactive and productive atmosphere.

We scheduled this year's workshop immediately after the Usenix Enigma conference to make travel a little more convenient for out-of-towners.

Registration is free and will open at 11am PST on Thursday, December 1st. Seats are limited and are first-come, first serve. If you have to cancel your registration please contact us to release your seat.

Call for presentations:

We have a few spots available for community presentations.

Send abstracts (max 500 words) to: info@bro.org
Subject: Bro4Pros 2017 Call for Presentations
Submission due date: January 6th, 2017

More details about the event can be found on our event page.

Thank you to Salesforce for sponsoring this event.

Thursday, November 17, 2016

Bro 2.5 released

We are very happy to announce the release of Bro v2.5. The new version is now available for download! Here is a brief summary of some of the new features and improvements:
  • Bro now includes the NetControl framework. This framework allows easy interaction with hard- and software switches, firewalls, etc. 
  • Support for the SMB protocol (SMB1 and SMB2), including GSSAPI and NTLM.
  • Support for the remote framebuffer protocol (RFB), that is used by VNC servers for remote graphical display.
  • The Intelligence framework was refactored and extended. It now supports, for example subnet indicators and item deletion/expiration.
See NEWS for release notes and CHANGES for the exhaustive commit list. Since the first beta version a series of smaller problems were fixed, in particular with the new SMB analyzer. We also added preliminary support for TLS 1.3. There were no significant changes anymore since the second beta version.

Bro 2.5 is currently available as source code, binary packages will come soon.

Thursday, November 3, 2016

Bro 2.5 Beta2

We are happy to announce that the second beta of Bro v2.5 is available for download. The main changes since the first beta are:
  • Lots of small fixes to the SMB analyzer. (Note that the analyzer is disabled by default)
  • Preliminary TLS 1.3 support.
  • Lots of other small fixes.
For a full list of changes see the CHANGES file. For information on the main features added in Bro v2.5, see our NEWS file and the earlier blog post.

Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use.

Thursday, October 20, 2016

Contributing to the Bro Project

Recently we have had a number of community members ask us for suggestions for contributing back to the Bro Project. We have updated the Community page on our website to reflect the new options available.

Custom Scripts and/or Plugins

We encourage Bro users to make their custom scripts and/or plugins available to the community by creating a package and submitting it to the Bro Package Source. See the README file of that GitHub repo for more instructions on how to create a package and submit it. Once your package is accepted, it becomes installable via the Bro Package Manager.

Patches and New Functionality

For working on the Bro codebase itself, work from our official GitHub mirrors or clone the master bro.org repositories directly from git://git.bro.org/<repo>. See our contribution guidelines for more information.

Writing Documentation

We are grateful for any corrections or contributions to documentation. Send documentation to info@bro.org or submit a ticket to our issue tracker.

Provide community support

Respond to user questions on the Mailing List, Twitter, IRC, and Gitter.

Financial Support

Become a Bro Future Fund sponsor, make an individual donation, or sponsor Bro events like BroCon.

Monday, October 3, 2016

Introducing the Bro Package Manager

Bro's New Package Manager

After a long period of being on Bro's development projects wishlist, Bro now has a working prototype of a package management tool.  The idea behind it is to provide Bro users with a command-line tool, bro-pkg, that they can use to manage third-party Bro scripts and/or plugins in the form of "packages."  At the same time, the project aims to provide a centralized location for anyone to share the Bro packages that they have developed, making them readily available to users of the package manager.  Ahead, we'll show some examples of its basic functions and capabilities.


  • bro-pkg is new and there may still be bugs.
  • Packages installed via bro-pkg come with no guarantees.  Anyone is free to submit packages, so don't assume that any particular package is safe to install unless you have reason to trust the author or have reviewed the package's code yourself.

Basic Usage/Workflow

You can see the Bro Package Manager documentation for full usage/setup instructions, but here's a quick example of what using the package manager will look like.

Checking all available packages:
$ bro-pkg list all bro/0xxon/bro-sumstats-counttable - Two-dimensional buckets for sumstats (count occurences per $str). bro/broala/bro-long-connections bro/dopheide/bro_notice_correlation - Adds support for multi-notice correlation. bro/initconf/scan-NG - Clusterized scan-detection based of bro-1.5.3 scan-detection policies bro/jonzeolla/scan-sampling - Modified version of scan.bro to add destination IP sampling. bro/jsiwek/bro-test-package bro/sethhall/preit-card-exposure - Detect and log credit cards. bro/sethhall/domain-tld - Bro script library for getting the effective TLD of a domain. bro/sethhall/ssn-exposure - Detect and log US Social Security numbers.

Searching for interesting packages based on keyword tags:
$ bro-pkg search file analysis bro/sethhall/credit-card-exposure - Detect and log credit cards. bro/sethhall/ssn-exposure - Detect and log US Social Security numbers.

Get more information on a package:
$ bro-pkg info credit-card-exposure "bro/sethhall/credit-card-exposure" info: versions: [] package metadata (from version "master"): build_command = plugin_dir = build script_dir = scripts version = 1.1.0 index metadata: description = Detect and log credit cards. tags = file analysis, credit card, cc, dlp, data loss url = https://github.com/sethhall/credit-card-exposure

Install it:
$ bro-pkg install credit-card-exposure The following packages will be INSTALLED: bro/sethhall/credit-card-exposure (master) Proceed? [Y/n] y Installed "bro/sethhall/credit-card-exposure" (master) Loaded "bro/sethhall/credit-card-exposure

Later on, you'd check if any packages have been updated:
$ bro-pkg refresh Refreshed source packages: no changes Refreshed installed packages: no new outdated packages

And if a new version of any package is available (in this case, it was not), you could upgrade to it:
$ bro-pkg upgrade All packages already up-to-date.

If you're interested in how to get your own packages listed by bro-pkg, checkout the README of the bro/packages GitHub repository.


The only major, planned feature to add to bro-pkg is automatic dependency analysis/resolution.  e.g. packages should be able to specify a particular Bro version that they require and list other packages (and their version) that they depend on.  Then, for packages that specify such dependencies bro-pkg should automatically be able to install/upgrade package dependencies if the user gives their consent.


If you have ideas/suggestions for new features or other feedback, you can find how to get in touch w/ the Bro team here.

If you find bugs, you can report them on the project's GitHub page.  Patches and pull requests are also welcome.