Tuesday, June 16, 2015

OpenSSL Denial of Service Impacting Bro - CVE-2015-1788

A denial of service exploit for OpenSSL was announced recently.  We verified that the vulnerability does propagate into Bro and has the same affect in Bro as in other software that uses OpenSSL.  If a Bro process sees a certificate that is mangled in the way described in the announcement it will pass the certificate to OpenSSL and it causes the Bro process to lock up and have high CPU utilization.

Everyone is going to want to upgrade OpenSSL on their Bro devices as soon as possible.  This is easy to exploit since X.509 certificate parsing happens in a number of places in Bro and a usable proof of concept certificate was released with the announcement.

In the event that you are unable to upgrade OpenSSL on your installation immediately, we have a script that can be used to disable X509 certificate handling on Bro.  It is a stopgap measure and should only be used temporarily due to the fact that any analysis being performed that relied on certificate parsing will be broken.  It will make your installation avoid the DoS though.

The short and simple script can be downloaded here: https://gist.github.com/sethhall/68048fe95c0c10966ddf

Good luck, and reach out to us on the Bro mailing list if you have any trouble.

Update #1. RedHat has pointed out that their distributions and derivatives don't have this problem because of their compile options.  The RedHat notification: https://access.redhat.com/security/cve/CVE-2015-1788

Update #2.  The script to compensate for the problem has been updated and should now support 2.3 as well as 2.4 (including the brief file api that existed during the development cycle but was changed before the release).  We've only validated the problem on 2.3 and 2.4 and generally recommend that everyone runs nothing older than those two release series as a general rule.

Tuesday, June 9, 2015

Bro 2.4 released

We are happy to announce that Bro 2.4 has been released and is available for download. For a brief overview of the new features, please look at our blog post of the 2.4 beta. Since the beta, there were a few small bugfixes and further documentation updates.

See NEWS for the release notes and CHANGES for the exhaustive list of changes.

Feedback is encouraged and should be sent to the Bro mailing list.

We extend sincere thanks to all who have helped make this release possible, especially those members of the community who have given us their feedback and support.

The Bro Team

Monday, May 18, 2015

Bro Monthly #5

Bro Monthly #5

Welcome to the 5th Bro Monthly newsletter. This month we cover the following topics:
  • Bro Meet-ups: our category for Bro related gatherings and groups,
  • Bro Commits: Bro v2.4 is here,
  • Bro in the wild,
  • Bro internal.

Bro Meet-ups


BroCon'15 Agenda online


Still not registered for BroCon'15?
Please have a look on our updated agenda.
We are happy to announce that the inventor of Bro, Vern Paxson will give a keynote speech.

The deadline to submit your presentation is coming very soon,May 29th. We already have some exciting topics but there is for sure room for more. Send us your Bro story.

Bro Commits: Bro v2.4 is here


We are happy to announce the beta of Bro v2.4 is available for download! Here is a brief summary of new features and improvements:
  • Support for external plugins to extend core functionality.
  • Announcing the release of Broker: Bro's new communication library.
  • Major improvements to BroControl's reliability and error handling.
  • New analyzers: including SSH, DTLS, RDP, and MySQL.
  • File analysis supports reassembly of files not transferred/seen sequentially.
  • And, BroCut was rewritten in C to improve its speed.
Binary packages are also available.

See NEWS for preliminary release notes and CHANGES for the exhaustive commit list.

Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use.

Bro in the wild

In this category we list Bro related finds from the web. If you want us to list your Bro story here, please contact us via info@bro.org.



\







Bro Internal



Friday, May 8, 2015

Bro 2.4 Beta

We are happy to announce the beta of Bro v2.4 is available for download! Here is a brief summary of new features and improvements:
  • Support for external plugins to extend core functionality
  • Announcing the release of Broker: Bro's new communication library
  • Major improvements to BroControl's reliability and error handling
  • New analyzers: including SSH, DTLS, RDP, and MySQL
  • File analysis supports reassembly of files not transferred/seen sequentially
  • And, BroCut was rewritten in C to improve its speed
Binary packages are also available.

See NEWS for preliminary release notes and CHANGES for the exhaustive commit list.

Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use.

Tuesday, March 10, 2015

BroCon '15 Call for Presentations

BroCon '15 is now accepting presentation proposals.  

This year is Bro's 20th Anniversary. To mark this special occasion we are looking for presentations that represent the diverse applications of Bro:

  • as a tool for solving problems;
  • interesting user stories, solutions, or research projects;
  • a postmortem analysis of a security incident, emphasizing Bro's contribution;
  • the value Bro brings to your professional work;
  • and, using Bro for more than intrusion detection. 
Send abstracts to: info@bro.org 
Subject: BroCon 2015 Call for Presentations 
Due Date: Friday, May 29th

Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments.


Friday, February 27, 2015

Bro Monthly #4

Bro Monthly #4

Welcome to the 4th Bro Monthly newsletter. This month we cover the following topics:
  • Bro Meet-ups: our category for Bro related gatherings and groups,
  • Bro teaching and training news,
  • Bro Commits: 2.3.2 is released,
  • Bro in the wild,
  • Bro internal.

Bro Meet-ups


Bro4Pros


On 2/18 and 2/19 we had our first Bro workshop for advanced users, Bro4Pros at the OpenDNS headquarters in San Francisco. Thanks again to our hosts and especially to Dan Hubbard. The topics focused on practical Bro questions arising in everyday usage. They ranged from advanced Bro scripting to complex engineering when planning and setting up Bro in big networks. The small group size allowed us to go in depth and discuss detailed questions.

Kara Drapala from OpenDNS wrote a blog post about Bro4Pros. If you want to read the view of someone experiencing the Bro Team for the first time, read her article.

We thank all our speakers and presenters.
  • Anthony Kasza of OpenDNS presented concepts and exercises focussing on DNS and its relationship to other protocols. Topics discussed include: how exploit kits make use of drive-by compromises, how malware implants use DGAs for obscuring command and control communications, and how passive DNS can fit into network detection strategies. Proof of concept Bro scripts implementing detection methods were demonstrated. The presentation encouraged others to author Bro scripts (even if just for experimental purposes) and showed how Bro's scripting language can be used to extend the current capabilities of Bro.
    Slides posted here.
  • Justin Azoff demonstrated ways to make Bro even more useful by visualizing its metrics. Using external tools in combination with Bro brings your Bro deployment to life and can help understand your network.
  • Seth Hall showed an approach to matching files seen on the wire with VirusTotal and discussed why this may be a difficult problem to approach.
  • Robin Sommer demonstrated how to make Bro even more powerful by extending it with dynamic plugins. If you want to get started you might find our documentation helpful. 
  • Another talk by Seth Hall covered some of the pitfalls when scripting with Bro and how to avoid them. 
  • Liam Randall and Alex Waher gave Lightning talks:
    • Alex Waher presented his experience on using Bro in conjunction with viewssld to process encrypted traffic.
    • Liam Randall presented two projects; Bro Top lets you stream your Bro logs to the browser for easy debugging and a real-time glimpse into whats being processed. The Intel Marketplace for Bro is a free feed manager for the Bro Platform that let's from nearly 60 free open source feeds of intelligence and map them to collections of Bro sensors and is supported on 24 different *nix versions.
  • Vlad Grigorescu gave a talk on "Verifying and troubleshooting your Bro Deplyment".  Slides posted here, the companion script is posted here
  • The second day was opened by Seth Hall discussing Bro internals. He showed how Bro approaches hard problems of edge cases in protocols with HTTP as an example. He walked through turning the raw event stream into a good logs and enabling a comfortable programming model to hide complexity.
  • Josh Liburdi discussed methods of analyzing RDP traffic with Bro by introducing an RDP protocol analyzer. You find his slides here. To try it out go to Josh's git repository.
  • Seth Hall helped out again, demonstrating the new file reassembly feature coming in Bro 2.4 and other small changes to how files are handled.
  • Closing with a bang: Aashish Sharma and Vincent Stoffer gave the last talk at Bro4Pros. They presented the impressive Bro setup implemented at the Lawrence Berkeley Lab. They are willing to share their slides with individuals. Please contact security@lbl.gov.

BroCon'15


We are happy to announce BroCon'15!

BroCon '15 registration is now open. You may register here: https://www.regonline.com/brocon2015. We have reserved a block of hotel rooms for the event. For more information about hotel accommodations and other updates, see the event page: https://www.bro.org/community/brocon2015.html

If your organization is interested in sponsoring BroCon '15,please contact us at info@bro.org.

Thanks for your continued support, see you in August!

Bro Teaching and Training


The Bro Teaching Community is for anyone who wants to teach Bro or use Bro for teaching. We provide a connecting point through a git-repository and a mailing list. We also used to have a weekly meeting. The Bro Teaching community lives from the input that comes form the community members. As we noticed decreasing activity in our weekly meetings we went through several changes to adapt to the real needs of the community. This is a continuing process. In order to make the Teaching Community more active and to further improve we invite everyone to send wishes and suggestions to either teaching@bro.org or directly to us via info@bro.org.

The Teaching Meeting  is now planned for Fridays 10 A.M. PST but will be held only if we have a topic. This will be announced via the Bro mailing list. Since the topics discussed/presented in this meeting are often interesting for every Bro user, we decided to open the meetings up to the whole Bro community. 

Everyone will be able to join future meetings via: https://zoom.us/j/755877685.
If you want to suggest a topic or give a presentation for this format please contact us via info@bro.org

Bro Commits


Bro v2.3.2 was released. Source distribution and binary packages are available on our downloads page. This release fixes the following vulnerabilities:
  • Parsers generated by BinPAC may contain out-of-bounds memory reads due to insufficient validation of field lengths. Reported by John Villamil and Chris Rohlf - Yahoo Paranoids. (CVE-2014-9586)
  • A DNP3 pseudo link layer length of zero may trigger an assertion or buffer over-read/overflow. Reported by Travis Emmert. (CVE-2015-1521)
  • Some non-zero values for the DNP3 pseudo link layer length may cause a buffer over-read/overflow. Reported by Travis Emmert. (CVE-2015-1522)
We encourage users to review and install at their earliest convenience. For reporting security concerns and vulnerabilities, see: how to report a security vulnerability.

Bro in the wild


In this category we list Bro related finds from the web. If you want us to list your Bro story here, please contact us via info@bro.org.

Bro Internal

Bro sends congrats to the Bro team at NCSA

Congrats to the Bro team at NCSA!

Why Choose Bro?

The Bro Team has created promotional materials to help enthusiasts rally support for using Bro at their own organization.  See our printable document and corresponding video to start the conversation.

Monday, January 26, 2015

Bro 2.3.2 Release

Bro v2.3.2 is released.  Source distribution and binary packages are available on our downloads page.  This release fixes the following vulnerabilities:
Parsers generated by BinPAC may contain out-of-bounds memory reads due to insufficient validation of field lengths.  Reported by John Villamil and Chris Rohlf - Yahoo Paranoids. (CVE-2014-9586) 
A DNP3 pseudo link layer length of zero may trigger an assertion or buffer over-read/overflow.  Reported by Travis Emmert.  (CVE-2015-1521)
Some non-zero values for the DNP3 pseudo link layer length may cause a buffer over-read/overflow.  Reported by Travis Emmert.  (CVE-2015-1522)
We encourage users to review and install at their earliest convenience.  For reporting security concerns and vulnerabilities, see: how to report a security vulnerability.

The Bro Team