Announcing Bro Exchange 2013 and Requesting Talks

I’m happy to announce the Bro Exchange for 2013 is a go! Our Bro Exchanges aim
to get a large number Bro users together into the same room to share
experiences and talk about how everyone is using Bro. This time, we’ll also add
in a bit of training similar to past Bro Workshops. We’re a little light on
specifics for the program still, but we’ll do more notifications as we pull it
program together.

The dates are going to be August 6th-8th and we will be back at the awesome
facilities offered by NCSA (National Center for Supercomputing Applications) in
Urbana, Illinois. For more information about what goes on at NCSA, you can
refer to their website: http://www.ncsa.illinois.edu

If we are going to run another successful event this year we’ll need your help.
Submit talks to us if you have something to say. Show how you use Bro and how
it fits into your local processes. Let everyone else in the community benefit
from your experimentation! Send email to us at info@bro.org to submit a talk.
We’re going to set a deadline on June 30th for talk submissions so get them in
quickly and feel free to let us know if you have an idea for a talk but you
aren’t sure if it’s presentable. We’d gladly discuss it with you.

I’m really excited and looking forward to getting together with the Bro
community again this year!

Head over to our Bro Exchange website for more information and the link to our
registration site:

http://www.bro.org/community/exchange2013.html

Help Us Demonstrate Bro's Impact: Deployment Survey

In 2010, the Bro Team received a grant from the National Science Foundation (NSF) to advance the state of the system, with a particular focus on making Bro more easy to deploy. Much of the work on Bro 2.x has been (and still is) funded out of this grant. We'd like to demonstrate to NSF that their support has made a real difference and have prepared a short survey aimed at better understanding today's state of Bro deployments. If you're running Bro on your organisation's network, please take a few minutes to fill it out (it's anonymous and really short!):

Link to Bro Deployment Survey

Many thanks in advance, a strong response may help us secure future funding to continue the current work.

On Bro's License, Name, and Logo

We are very excited to see all the interest that Bro has been generating recently, with many new deployments across networks of all sizes and people working to interface the system to their environments and hardware. Occasionally, however, we also notice a bit of confusion about Bro's licensing in terms of what exactly it permits and where it imposes constraints. To help clarify that, we have have created a new Licensing section in our FAQ, and a separate page with guidelines for using the Bro marks.

Here's the short version:

• Bro's source code is, and will remain, open-source under the very permissive BSD license. The license allows for pretty much unrestricted distribution and use. Specifically, you are free to deploy any or all of the code in commercial products. You don't even need to tell us about it if you'd rather not.
• All documentation and web page content is licensed under a Creative Commons NonCommercial license. This means that you can use, share, and adapt the material as long as you attribute the Bro Project as the source and do not use it for any commercial purposes.
• Finally, we reserve all rights to the Bro name and logo. In many cases it will be fine for you to use our marks but we ask for a chance to review your case. In particular, we consider it important that we avoid any confusion on what the name "Bro" refers to. We have a simple rule of thumb for that: if it's called "Bro", it must be our "Bro" as found on www.bro.org. You are free to derive your own versions from our code base, but you can't call it "Bro" unless we have signed off on your use. We believe that this is a fair constraint in the interest of Bro's users, and indeed not unusual in the open-source world.

See the above links for more information and feel free to contact us for further questions.

Using ICSI's Open-Source Bro Platform to Protect the Blue Waters Supercomputer

The ICSI web site features a guest posting by Adam Slagell and the Bro Team on Using ICSI's Open-Source Bro Platform to Protect the Blue Waters Supercomputer.

bro.org — A New Home for Bro

We are very excited to announce that as of today all Bro-related services have found a new home under the bro.org domain. We've moved most services over from bro-ids.org already, and the remaining pieces should fall in place over the next couple of days. Generally, things should just keep working, with the old names redirecting to the new ones transparently. You may however need to adjust your email filters if you're subscribed to any of our mailing lists.

This move reflects a change in perspective that has been shaping up for a while already. The problem is that what most people associate with the term "IDS" doesn't actually fit Bro very well. Bro's capabilities go beyond what traditional "IDS" provide, and its real strengths lie in areas where there's not much else out there to compare it with. Indeed, Bro can do much more than "just intrusion detection". Many of our users are deploying it in a range of very different settings for gaining insight into their networks independent of any security concerns. In this sense, we've been playing down the "IDS" angle for a while already, and the new domain makes that explicit. On top of that, a three-letter domain is of course much cooler anyways.

This change was made possible by a generous donation from Liam Randall to the International Computer Science Institute. The donation allowed us to aquire the domain from its previous owner. We are extremely grateful for Liam's support, many thanks to him from the whole Bro Team!

Watching for the APT1 Intelligence

Earlier this week, Mandiant released their APT1 report which I’m not going to bother providing any analysis or commentary on, there has been plenty of that this week. As a developer on a network analysis tool my interest primarily lies with consuming the intelligence data they provided and seeing how I can use it.

Vern Paxson, the original author of Bro, asked me yesterday morning if I had a simple example of a Bro script that he could use for a talk today. Bro’s current lead developer Robin Sommer, suggested that we could show something related to the APT1 report. That’s when it occurred to me that doing so would actually result in a fairly simple and self contained script so I set off to write it.

Several hours later, interspersed with a few phone calls and lots of instant messaging, I had the script done and documented. Here’s where you can find the script module now: APT1 repository on github

There are a few key points about the script that I wanted to take a moment to highlight.

1. The entire script really boils down to three ‘if’ statements. One for each of the types of data that Mandiant distributed (certificates, file hashes, and domain names).
2. Mandiant didn’t actually distribute hashes for the certificates so we had to get a little creative. We took the certificate subject and serial number together to find matches because after searching through the data store for our certificate notary project we discovered that there are legitimate certificates using some of the certificate subjects.
3. Domain names are only being searched for in DNS queries. This is certainly suboptimal but it’s a first step.
4. MD5 hashes are only being checked for files transferred over HTTP and only for Windows executables by default. The README included with the bro-apt1 repository includes instructions for expanding that to more files.

This was an interesting experiment for me because it opened my eyes a little bit to a potential use for the upcoming revamp of Bro’s Intelligence Framework. The work on the Intelligence Framework is mostly done already and only has relatively small tuning remaining. If I had used the Intelligence Framework for this script, the domain names would have been searched for in many, many places automatically and not just DNS queries (the next obvious step would be HTTP Host headers). Data loading and distribution would have been abstracted much better, the data would have loaded at runtime and not been encoded in a Bro script which is certainly workable but suboptimal. The result would have been even less code and greater use of the data. Those two features in combination are very attractive to me for obvious reasons!

The script ended up being quite nice for about a combined hour of effort but it’s a very naive implementation compared to what we’re working toward. My only question now is if it ended up being too simple of an example for what Vern wanted.

The script module is fully self-contained and very easy to run. I hope that no one has any hits!

Bro Summer Internship Available

The Bro Project has an opening for a three month summer internship. If you are interested in helping us improve Bro and develop new functionality, please apply!

See here for more information.