Monday, May 18, 2015

Bro Monthly #5

Bro Monthly #5

Welcome to the 5th Bro Monthly newsletter. This month we cover the following topics:
  • Bro Meet-ups: our category for Bro related gatherings and groups,
  • Bro Commits: Bro v2.4 is here,
  • Bro in the wild,
  • Bro internal.

Bro Meet-ups


BroCon'15 Agenda online


Still not registered for BroCon'15?
Please have a look on our updated agenda.
We are happy to announce that the inventor of Bro, Vern Paxson will give a keynote speech.

The deadline to submit your presentation is coming very soon,May 29th. We already have some exciting topics but there is for sure room for more. Send us your Bro story.

Bro Commits: Bro v2.4 is here


We are happy to announce the beta of Bro v2.4 is available for download! Here is a brief summary of new features and improvements:
  • Support for external plugins to extend core functionality.
  • Announcing the release of Broker: Bro's new communication library.
  • Major improvements to BroControl's reliability and error handling.
  • New analyzers: including SSH, DTLS, RDP, and MySQL.
  • File analysis supports reassembly of files not transferred/seen sequentially.
  • And, BroCut was rewritten in C to improve its speed.
Binary packages are also available.

See NEWS for preliminary release notes and CHANGES for the exhaustive commit list.

Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use.

Bro in the wild

In this category we list Bro related finds from the web. If you want us to list your Bro story here, please contact us via info@bro.org.



\







Bro Internal



Friday, May 8, 2015

Bro 2.4 Beta

We are happy to announce the beta of Bro v2.4 is available for download! Here is a brief summary of new features and improvements:
  • Support for external plugins to extend core functionality
  • Announcing the release of Broker: Bro's new communication library
  • Major improvements to BroControl's reliability and error handling
  • New analyzers: including SSH, DTLS, RDP, and MySQL
  • File analysis supports reassembly of files not transferred/seen sequentially
  • And, BroCut was rewritten in C to improve its speed
Binary packages are also available.

See NEWS for preliminary release notes and CHANGES for the exhaustive commit list.

Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use.

Tuesday, March 10, 2015

BroCon '15 Call for Presentations

BroCon '15 is now accepting presentation proposals.  

This year is Bro's 20th Anniversary. To mark this special occasion we are looking for presentations that represent the diverse applications of Bro:

  • as a tool for solving problems;
  • interesting user stories, solutions, or research projects;
  • a postmortem analysis of a security incident, emphasizing Bro's contribution;
  • the value Bro brings to your professional work;
  • and, using Bro for more than intrusion detection. 
Send abstracts to: info@bro.org 
Subject: BroCon 2015 Call for Presentations 
Due Date: Friday, May 29th

Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments.


Friday, February 27, 2015

Bro Monthly #4

Bro Monthly #4

Welcome to the 4th Bro Monthly newsletter. This month we cover the following topics:
  • Bro Meet-ups: our category for Bro related gatherings and groups,
  • Bro teaching and training news,
  • Bro Commits: 2.3.2 is released,
  • Bro in the wild,
  • Bro internal.

Bro Meet-ups


Bro4Pros


On 2/18 and 2/19 we had our first Bro workshop for advanced users, Bro4Pros at the OpenDNS headquarters in San Francisco. Thanks again to our hosts and especially to Dan Hubbard. The topics focused on practical Bro questions arising in everyday usage. They ranged from advanced Bro scripting to complex engineering when planning and setting up Bro in big networks. The small group size allowed us to go in depth and discuss detailed questions.

Kara Drapala from OpenDNS wrote a blog post about Bro4Pros. If you want to read the view of someone experiencing the Bro Team for the first time, read her article.

We thank all our speakers and presenters.
  • Anthony Kasza of OpenDNS presented concepts and exercises focussing on DNS and its relationship to other protocols. Topics discussed include: how exploit kits make use of drive-by compromises, how malware implants use DGAs for obscuring command and control communications, and how passive DNS can fit into network detection strategies. Proof of concept Bro scripts implementing detection methods were demonstrated. The presentation encouraged others to author Bro scripts (even if just for experimental purposes) and showed how Bro's scripting language can be used to extend the current capabilities of Bro.
    Slides posted here.
  • Justin Azoff demonstrated ways to make Bro even more useful by visualizing its metrics. Using external tools in combination with Bro brings your Bro deployment to life and can help understand your network.
  • Seth Hall showed an approach to matching files seen on the wire with VirusTotal and discussed why this may be a difficult problem to approach.
  • Robin Sommer demonstrated how to make Bro even more powerful by extending it with dynamic plugins. If you want to get started you might find our documentation helpful. 
  • Another talk by Seth Hall covered some of the pitfalls when scripting with Bro and how to avoid them. 
  • Liam Randall and Alex Waher gave Lightning talks:
    • Alex Waher presented his experience on using Bro in conjunction with viewssld to process encrypted traffic.
    • Liam Randall presented two projects; Bro Top lets you stream your Bro logs to the browser for easy debugging and a real-time glimpse into whats being processed. The Intel Marketplace for Bro is a free feed manager for the Bro Platform that let's from nearly 60 free open source feeds of intelligence and map them to collections of Bro sensors and is supported on 24 different *nix versions.
  • Vlad Grigorescu gave a talk on "Verifying and troubleshooting your Bro Deplyment".  Slides posted here, the companion script is posted here
  • The second day was opened by Seth Hall discussing Bro internals. He showed how Bro approaches hard problems of edge cases in protocols with HTTP as an example. He walked through turning the raw event stream into a good logs and enabling a comfortable programming model to hide complexity.
  • Josh Liburdi discussed methods of analyzing RDP traffic with Bro by introducing an RDP protocol analyzer. You find his slides here. To try it out go to Josh's git repository.
  • Seth Hall helped out again, demonstrating the new file reassembly feature coming in Bro 2.4 and other small changes to how files are handled.
  • Closing with a bang: Aashish Sharma and Vincent Stoffer gave the last talk at Bro4Pros. They presented the impressive Bro setup implemented at the Lawrence Berkeley Lab. They are willing to share their slides with individuals. Please contact security@lbl.gov.

BroCon'15


We are happy to announce BroCon'15!

BroCon '15 registration is now open. You may register here: https://www.regonline.com/brocon2015. We have reserved a block of hotel rooms for the event. For more information about hotel accommodations and other updates, see the event page: https://www.bro.org/community/brocon2015.html

If your organization is interested in sponsoring BroCon '15,please contact us at info@bro.org.

Thanks for your continued support, see you in August!

Bro Teaching and Training


The Bro Teaching Community is for anyone who wants to teach Bro or use Bro for teaching. We provide a connecting point through a git-repository and a mailing list. We also used to have a weekly meeting. The Bro Teaching community lives from the input that comes form the community members. As we noticed decreasing activity in our weekly meetings we went through several changes to adapt to the real needs of the community. This is a continuing process. In order to make the Teaching Community more active and to further improve we invite everyone to send wishes and suggestions to either teaching@bro.org or directly to us via info@bro.org.

The Teaching Meeting  is now planned for Fridays 10 A.M. PST but will be held only if we have a topic. This will be announced via the Bro mailing list. Since the topics discussed/presented in this meeting are often interesting for every Bro user, we decided to open the meetings up to the whole Bro community. 

Everyone will be able to join future meetings via: https://zoom.us/j/755877685.
If you want to suggest a topic or give a presentation for this format please contact us via info@bro.org

Bro Commits


Bro v2.3.2 was released. Source distribution and binary packages are available on our downloads page. This release fixes the following vulnerabilities:
  • Parsers generated by BinPAC may contain out-of-bounds memory reads due to insufficient validation of field lengths. Reported by John Villamil and Chris Rohlf - Yahoo Paranoids. (CVE-2014-9586)
  • A DNP3 pseudo link layer length of zero may trigger an assertion or buffer over-read/overflow. Reported by Travis Emmert. (CVE-2015-1521)
  • Some non-zero values for the DNP3 pseudo link layer length may cause a buffer over-read/overflow. Reported by Travis Emmert. (CVE-2015-1522)
We encourage users to review and install at their earliest convenience. For reporting security concerns and vulnerabilities, see: how to report a security vulnerability.

Bro in the wild


In this category we list Bro related finds from the web. If you want us to list your Bro story here, please contact us via info@bro.org.

Bro Internal

Bro sends congrats to the Bro team at NCSA

Congrats to the Bro team at NCSA!

Why Choose Bro?

The Bro Team has created promotional materials to help enthusiasts rally support for using Bro at their own organization.  See our printable document and corresponding video to start the conversation.

Monday, January 26, 2015

Bro 2.3.2 Release

Bro v2.3.2 is released.  Source distribution and binary packages are available on our downloads page.  This release fixes the following vulnerabilities:
Parsers generated by BinPAC may contain out-of-bounds memory reads due to insufficient validation of field lengths.  Reported by John Villamil and Chris Rohlf - Yahoo Paranoids. (CVE-2014-9586) 
A DNP3 pseudo link layer length of zero may trigger an assertion or buffer over-read/overflow.  Reported by Travis Emmert.  (CVE-2015-1521)
Some non-zero values for the DNP3 pseudo link layer length may cause a buffer over-read/overflow.  Reported by Travis Emmert.  (CVE-2015-1522)
We encourage users to review and install at their earliest convenience.  For reporting security concerns and vulnerabilities, see: how to report a security vulnerability.

The Bro Team

Thursday, December 18, 2014

Bro Rewind 2014

Bro 2014

Welcome to the Bro monthly newsletter, which for the month of December features the Bro annual newsletter, recapping the events of 2014.
We will talk about:
  • Bro events in 2014. 
  • New resources for the community: 2014 the Bro community gained many new resources to learn, teach, and get help with using Bro. 
  • Bro impact: an overview of Bro's visibility and impact in terms of statistics and awards. 
  • Security is broken: highlights of the security breaches we saw in 2014. 
  • Bro dev: new developments, major releases.
  • Bro research: along with being a widely used NSM, Bro also both enables research and itself inspires research and innovation. 

Bro Events

  • Cybersecurity Summit 2014 — August 2014 
  • BroCon ‘14 — August 2014 
  • Floss Weekly — May 2014 
  • DOE Network Monitoring Group Meeting — May 2014, Lawrence Berkeley National Laboratory 
  • BSides Cincinnati — May 2014 
  • Troopers 2014 — March 2014. TalkBro: A Flexible Open-Source Platform for Comprehensive Network Security Monitoring.  Slides.
  • The Bro Team presented a members-only two-day Bro training workshop for the Department of Energy.

Bro Resources


Over the last year the Bro team continued to improve the usability of Bro, also in terms of resources, such as documentation. In this section we want to focus on new developments.

Bro Center of Expertise


The Bro Center of Expertise is a central point of contact for institutions funded by the National Science Foundation (NSF) that bundles the Bro Team’s expertise and offers it to NSF-supported sites seeking advice.

The Center provides the umbrella for many of the efforts we discuss in the following.

The More You Bro


The More You Bro is a series about various features of Bro, taught in the format of a hands-on tutorial. The episodes are intentionally brief to keep the content focused and approachable to new learners. Interested in suggesting a topic? Send us an email at info@bro.org or Tweet us @Bro_IDS.

The Bro Teaching Community


The Bro Teaching Community aims to create a knowledge base and resource collection for educators, ranging from example curricula and slide sets to exercises for all purposes and skills levels. By coordinating and synchronizing existing and future teaching efforts, we want to help share materials, and exchange “lessons learned” from different settings. With members of the core Bro team involved, the Community also helps with technical questions and provides guidance on using Bro effectively.

The Bro Teaching Community offers a bi-weekly meeting as well as access to a restricted git repository where we collect reusable teaching material. In the meetings we discuss possible curricula, technical problems, and other related topics.  The Bro Teaching Community is a collaboration of the Bro core team and interested university faculty.

Get in touch via info@bro.org.

The Bro Playground


Teaching, learning, and testing are activities that are sometimes hard to distinguish. They all need a non-disruptive space to enable exploration without risking harm to productive systems.

In 2014 the Bro team released two new tools that allow you and your students to explore Bro in a safe way.

Bro Live!


Bro Live! is a training system that gives users hands-on access to a Bro learning environment without having to install a virtual machine and deal with associated dependencies. Bro Live! can be built with exercises for a given class or workshop, with access to the environment limited to the duration of the event if desired. All the user needs is an SSH client and Internet access.

Bro Live! is a Linux-based sandbox system, relying on Linux containers, OpenSSH, and Docker. It places the user in their own isolated environment with shell access to Bro, the exercises, and the standard Unix toolset. The user's work is saved in their container typically for the duration of the training event and can be easily re-attached at anytime during the event to continue their work.

To use Bro Live! download it from Github.

ISLET


The work on Bro Live! led to the development of ISLET.

ISLET, the Isolated, Scalable, and Lightweight Environment for Training, is a platform used to teach Linux-based software that reduces the administrative overheard of building training environments and ensures a smoother training experience for users than comparable virtual appliance-based training. We intend ISLET to provide an improved replacement to event training that relies on virtual machines. It excels at quickly providing user's with shell access to containers to play with network security and other Linux based tools.

The official BroLive! training image works with ISLET, and we launched a precursor at BroCon14.

https://registry.hub.docker.com/u/broplatform/brolive/
https://github.com/jonschipp/ISLET

Try.Bro


Try.bro.org is a web-based scripting sandbox made freely available to users on our site. No login. No installation. No trouble.

We have included a few basic scripts and pcaps to help users get started. Users can paste their own scripts or upload their own pcaps. The environment includes version control to test your scripts against current or previous versions of Bro. In addition, Try.bro caches a user's work and generates unique URLs to enable sharing with others. No more copying and pasting scripts or log files, just send the link. We store code fragments for three days and pcaps for one hour, resetting the timeout when the link is used.

Bro Impact


Since the make-over of Bro in 2012, which specifically targeted better usability for production deployments, Bro has attracted more users every year. All the Bro 2.x releases were enabled by an NSF award that ended in 2014, with the NSF Center now continuing that work. 

With the number of users, the number of contributors and third party scripts and extensions grew as well. In this section we sketch these developments.

InfoWorld awarded Bro a 2014 "Bossie Award" in the category "The best open source networking and security software", and they also included Bro into their list of "11 open source security tools catching fire on GitHub". Indeed, Bro is at the top of GitHub's security showcases list now and has more than 640 stars.

We typically see about 10,000 direct downloads per version from our main server.  These tend to come from a couple thousand unique ASNs across about 150 countries. These numbers do not include downloads from GitHub, nor what has arguably become the most common way for new users to get started with Bro: Security Onion, a Linux-based live DVD environment tailored to security monitoring, which includes Bro as a key component.

During the recent years attendance at our annual Bro user meetings grew from originally 30-50 people to 150 attendees from 60 different institutions at the 2014 event.

Our Twitter account shows almost 3,000 followers, and the main Bro mailing list now reaches close to 1,000 people.

Security is Bro-ken


2014 saw a number severe security incidents, many of them concerning TLS/SSL. Here is a collection of some of the most important cases.

Heartbleed


The Heartbleed vulnerability in the widely used OpenSSL library can reveal memory contents of processes running OpenSSL, which can include highly sensitive data such as encryption key material. Due to the ease of exploiting it and the large number of vulnerable servers, the vulnerability was very widely reported, and represents one of the most serious security problems in the Internet this year. Bro includes a thorough detection script that can alert users if Heartbleed exploits are performed on their network.

To enable Heartbleed detection, load the policy/protocols/ssl/heartbleed.bro script.  If you use broctl, it will be loaded by default in a new installation using this branch. If using Bro on the command line, e.g., to read a trace, specify it directly:

bro -r [trace] policy/protocols/ssl/heartbleed

As usual, Bro will write the corresponding notices to notice.log.

Shellshock


Another significant vulnerability was first "announced" a patch message.  On September 24th, news went viral about a Bash patch that revealed a very serious vulnerability in Bash: ''... the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.'' [source]

In other words, this bug allows anyone to execute their own code on affected remote hosts!  Even worse, if a vulnerable server runs as root, an attacker exploiting the vulnerability can immediately, and trivially, acquire full control over the server's system.

A Bro Shellshock detector was released September 25th by Broala.

SSLv3 - Poodle


SSL headaches were still not done for the year. October saw the discovery of a protocol flaw in SSLv3.  To find SSLv3 servers in Bro logs:

cat ssl.log | bro-cut version id.resp_h | grep "^SSLv3" | awk '{print $2}'| sort | uniq -c | sort -nr

Blog post: The SSLv3 #Poodle Attack & current SSL usage statistics from the ICSI SSL Notary  (http://t.co/lJeHc1DGNc). — ICSI Notary (@ICSInotary) October 17, 2014.

Bro Dev


During the last year Bro was developed further and extended. This section presents a snippet of the coding news from the Bro universe.

Bro 2.3


The release of 2.3 freed Bro from its dependency on Libmagic. The release brought (among other things) new SSL functionality, e.g., to detect the Heartbleed vulnerability; analyzers for SNMP and Radius; and extended capabilities for PF_Ring.

Users still operating on 2.2 go can find out what's exciting about 2.3.

Packet Bricks


We are happy to announce an initial prototype of Packet Bricks, a new Bro-related project written by Asim Jamshed from KAIST, who visited the Bro team in Berkeley over the summer.

Packet Bricks - which is still under active development - is a Linux/FreeBSD daemon that is capable of receiving and distributing ingress traffic to user-land applications. Its main responsibilities will eventually include: (i) load-balancing, (ii) duplicating, and/or (iii) filtering ingress traffic across all registered applications. The distribution is flow-aware (i.e., packets of one connection will always end up in the same application). Packet Bricks leverages the netmap packet I/O framework for handling packets efficiently, and employs netmap pipes to forward packets to user-land applications.

Packet Bricks is available on github. It's still a very early piece of software, and we announce it at this time primarily for users willing to help us collect some first experiences with it. If you have any feedback, please send it to the Bro development mailing list. If you aren't subscribed yet, do so here.

Bro Research


Bro's powerful capabilities to analyze traffic makes it a powerful research tool, as well as itself serving as a domain for research.

BinPAC++ Release


In the context of ICSI's ongoing research projects, we developed a prototype of BinPAC++.

BinPAC++ is a next-generation parser generator that makes it easy to build parsers for network protocols, file formats, and more.  It provides a comprehensive system that enables developers to write attributed grammars defining both syntax and semantics of an input format inside a single comprehensive scripting language.

The BinPAC++ toolchain, built on top of HILTI, turns such grammars into efficient parsing code that exposes a well-defined C interface to its host application for feeding in input and retrieving results. At runtime, parsing proceeds fully incrementally—and potentially in parallel—on input streams of arbitrary size. Compilation takes place either statically at build time, or just-in-time at startup.

You might have seen Robin Sommer's demo at BroCon'14. If you want to try it out, you can fetch the code, though keep in mind that it is still a prototype and not yet production-ready.

Bro Related Publications


Here is an overview of this year's research output. The list contains publications of Bro team members but also external publications that use or extend Bro for their work. Please note that we do NOT know if this list is complete, there might be more publications out there and you are invited to let us know about each of them.

You can find a more complete list of Bro-related publication here


Wednesday, November 19, 2014

Bro Monthly #3

Bro Monthly #3


Welcome to the 3rd Bro Monthly newsletter.
This month we cover the following topics:
  • Bro Meet-ups: a new monthly category for Bro related gatherings and groups,
  • Bro teaching and training,
  • Bro in research,
  • Bro in the wild,
  • Bro-active: current exploits, attacks, and how Bro can help, and other everyday Bro.

Call for news:


If you want to point us on anything that should be in the next monthly just let us know, send mail to news@bro.org or tweet it to @Bro_IDS.

Bro Meet-ups


This new category lists all meet-ups we hear of that are somehow related to Bro. If you send us the information we can list your event here. Just write to info@bro.org.

OpenNSM


OpenNSM aims to provide a place for network security analysts and those interested in information security with a network security and incident response focus to share tricks, solutions, work on projects, and other knowledge about the subject. We're not aware of any other active NSM user groups in the United States, and have the ambitious goal of being a premier place for students, professionals, and hobbyists, from all over to share their research, tools, and techniques in a laid back and friendly environment. Remote attendance is available. Join the mailing list or Facebook group for meeting info.

They've had 3 presentations from Bro Team members so far and more to come!

More info: http://opennsm.ncsa.illinois.edu/

Bro teaching and training


ISLET


The Isolated, Scalable, & Lightweight Environment for Training is container system for teaching Linux based software with minimal participation and configuration effort. You can use ISLET to teach Bro by installing the BroLive! environment ('make install-brolive-config') after install ISLET.

https://github.com/jonschipp/islet
https://registry.hub.docker.com/u/broplatform/brolive/


Bro research


HILTI


When developing networking systems such as firewalls, routers, andintrusion detection systems, one faces a striking gap between the easewith which one can often describe a desired analysis in high-levelterms, and the tremendous amount of low-level implementation detailsthat one must still grapple with to come to a robust solution. At thisyear's Internet Measurement Conference (IMC) we presented a prototypeof "HILTI", a platform that bridges this divide by providing much ofthe standard low-level functionality, without tying it to any specificanalysis structure.


Beyond pattern matching: a concurrency model for stateful deep packet inspection


On modern multi-core processing platforms, intrusion detection systems need to scale across a large number of processing units--a challenge, as distributing their analysis must not come at the cost of decreased effectiveness in attack detection. At ACM's Conference on Computer and Communications Security (CCS) we presented a novel domain-specific concurrency model that facilities concurrent traffic analysis by partionining input according to fine-granular analysis scopes.


Bro in the wild




Bro-active


SSLv3


SSL continues to produce headaches, last month's hick-up was a protocol mistake in SSLv3. 

To find SSLv3 servers in your Bro logs this line helps you:

cat ssl.log | bro-cut version id.resp_h | grep "^SSLv3" | awk '{print $2}'|  sort | uniq -c | sort -nr


FireEye APT28


Bro Passive DNS tool