Thursday, September 10, 2015

Analyzing Bro Logs with Sagan


Applying log analysis tools to Bro logs can improve event correlation and expedite the use of pattern based signatures for quick detection. Sagan, a multithreaded log analysis engine written by Champ Clark "Da Beave" is a good candidate for performing log analysis on Bro for at the following reasons:

  • Sagan supports the Bro intel file format through a preprocessor
  • Contains existing rules for detections from Bro logs
  • Uses the familiar snort-like rule language
  • Ability to output data in unified2, integrates with existing tools like Snorby, Sguil, Squert, etc.
OSSEC is another popular tool that can perform log analysis and is able to integrate with other tools.


To implement this Bro logs can be forwarded to a system running Sagan via a syslog daemon that supports forwarding on the Bro manager. There is also a syslog daemon listening on the Sagan host which accepts the Bro logs and writes them to a FIFO (named pipe) from which sagan reads. For each log sagan reads it will create a worker thread to perform analysis by applying its rules to the logs. See the documentation for details on installing and configuring Sagan. A few examples are given below for forwarding Bro logs to a remote syslog host where Sagan lives.

A forwarding example with Rsyslog (rainer-script):
module(load="imfile" PollingInterval="1")

# Read in dns.log on Bro manager

# Forward logs to sagan system
A forwarding example using the older Rsyslog syntax:
$ModLoad imfile

# Read in dns.log on Bro manager
$InputFileName /usr/local/bro/logs/current/dns.log
$InputFileTag bro_dns:
$InputFileStateFile stat-bro_dns
$InputFileSeverity debug
$InputFileFacility local6
Use multiple input configurations to send more Bro logs.


Sagan has a rules package that includes existing snort-like rules for bro logs, this file is named bro-ids.rules. Below are a few custom rules written by Jon Schipp which were presented at BroCon'15.

The first rule detects hosts which made at least 10 DNS requests in an hour (3600s) for names that are present in an intelligence feed. For this to work Sagan's Bro Intel preprocessor needs to be enabled and pointing to Bro formatted intel files in sagan.conf.
# sagan.conf
processor bro-intel: /usr/local/etc/,/usr/local/etc/,/usr/local/etc/
# Include custom bro rules
include $RULE_PATH/local-bro.rules
The magic of the rule is done with the bro-intel: domain option which matches all feed entries with type Intel::DOMAIN across the logs Sagan is analyzing.

# local-bro.rules
alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BRO] Excessive Bad Domains (10+)"; bro-intel: domain; after: track by_src, count 10, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; sid: 13000000;rev:1;)
Another example is a more advanced detection that works across multiple rules using flowbits, a feature of the snort-like rule language. Doing this we can perform basic correlation across different logs files such as checking for an HTTP request in http.log and then looking for a file that was carried across the connection in files.log. A practical example of this is to test for the successful use of a proxy by matching a HTTP request that is indicative of proxy behavior and then checking files.log after for a transferred file of a guessable significant size within 60 seconds of the original HTTP request. Having arithmetic operators like less than or greater than would be helpful in expressions where we want to compare byte counts but there are problems

  1. Expressions like these are not available in this rule language
  2. This language doesn't understand Bro fields (e.g. files.log has multiple fields of type count)

For example, because of current conditions we cannot tell Sagan to match on files.log where the value of the seen_bytes field is greater than say 1024 because arithmetic operators are not available, and even if they were Sagan wouldn't know which field to use to evaluate the expression (it could compare it to an IP address which contains numbers because it doesn't have the concept of data types). Though with some ingenuity and luck we can make due with a detection like this. There's a field in files.log called duration with a unique type of interval which looks similar to a floating point number. We can do a match on the decimal point and some digits that would indicate that the file took longer to transfer than x seconds. I chose 0.00 as the value to perform a negation match on i.e. the rule will only match if 0.00 is not present in the log line e.g. a duration of 1.24 will trigger an alert. This is a best guess indicator that the file transferred over the HTTP connection was large enough to take more than 0 seconds. Note that it does not take account of network conditions which makes it imperfect like most of the rules we have today.

The first rule matches on the HTTP CONNECT method commonly used by clients accessing a proxy. It does not alert due to its use of the noalert options. Its purpose is to trigger an event via a flowbit once a proxy attempt using CONNECT occurs, when this happens the next rule which is watching for the flowbit named bro_possible_proxy_connect will be called.
# Match on HTTP CONNECT methods
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] Possible Proxyvia CONNECT"; content: " CONNECT "; content: "ROXY-CONNECTION"; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set, bro_possible_proxy_connect, 60; flowbits: noalert; classtype: suspicious-traffic; sid: 11000002; rev:1;)
The second rule is called to match on files.log, it uses a few content matches to identify the log by its content such as containing hashes of files e.g. SHA. The parse ip instructions are used to noramalize the direction of the IP addresses used in the original HTTP request which will be in reverse given that the files will most likely becoming from the server. This is needed to provide correlation by tracking the offender IP across the HTTP request and transferred file, we don't want to alert from a transfer indicated in files.log by some other host which never made the HTTP CONNECT method!
# Follow up rule to validate the use of a proxy
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] Proxy Detectedvia CONNECT"; content: "SHA"; content:!"0.00"; pcre: "/SSL|HTTP|FTP/"; parse_src_ip: 2; parse_dst_ip: 1; flowbits: isset,by_src,bro_possible_proxy_connect;
classtype: suspicious-traffic; sid: 11000004; rev:1;)
Syslog tags can be used in rules to identify different log files. There's plenty more to detect and explore - if you're performing log analysis on Bro share your rules and experiences with the community.


For more information see the Bro Integrations slides and talk at BroCon '15

Tuesday, September 8, 2015

Bro 2.4.1 Release

Bro 2.4.1 has been released. This release addresses a few potential DOS vectors using specially crafted connections. The release also contains minor updates to analyzers to reduce the number of messages in reporter.log. The source distribution is available on the download page. Our binary packages will be updated later today - users should be able to automatically update the package using their system package manager.

See CHANGES for the full list of changes in the release.

Since this is a bug fix release, we encourage users to update at their earliest convenience.

The Bro Team

Tuesday, June 16, 2015

OpenSSL Denial of Service Impacting Bro - CVE-2015-1788

A denial of service exploit for OpenSSL was announced recently.  We verified that the vulnerability does propagate into Bro and has the same affect in Bro as in other software that uses OpenSSL.  If a Bro process sees a certificate that is mangled in the way described in the announcement it will pass the certificate to OpenSSL and it causes the Bro process to lock up and have high CPU utilization.

Everyone is going to want to upgrade OpenSSL on their Bro devices as soon as possible.  This is easy to exploit since X.509 certificate parsing happens in a number of places in Bro and a usable proof of concept certificate was released with the announcement.

In the event that you are unable to upgrade OpenSSL on your installation immediately, we have a script that can be used to disable X509 certificate handling on Bro.  It is a stopgap measure and should only be used temporarily due to the fact that any analysis being performed that relied on certificate parsing will be broken.  It will make your installation avoid the DoS though.

The short and simple script can be downloaded here:

Good luck, and reach out to us on the Bro mailing list if you have any trouble.

Update #1. RedHat has pointed out that their distributions and derivatives don't have this problem because of their compile options.  The RedHat notification:

Update #2.  The script to compensate for the problem has been updated and should now support 2.3 as well as 2.4 (including the brief file api that existed during the development cycle but was changed before the release).  We've only validated the problem on 2.3 and 2.4 and generally recommend that everyone runs nothing older than those two release series as a general rule.

Tuesday, June 9, 2015

Bro 2.4 released

We are happy to announce that Bro 2.4 has been released and is available for download. For a brief overview of the new features, please look at our blog post of the 2.4 beta. Since the beta, there were a few small bugfixes and further documentation updates.

See NEWS for the release notes and CHANGES for the exhaustive list of changes.

Feedback is encouraged and should be sent to the Bro mailing list.

We extend sincere thanks to all who have helped make this release possible, especially those members of the community who have given us their feedback and support.

The Bro Team

Monday, May 18, 2015

Bro Monthly #5

Bro Monthly #5

Welcome to the 5th Bro Monthly newsletter. This month we cover the following topics:
  • Bro Meet-ups: our category for Bro related gatherings and groups,
  • Bro Commits: Bro v2.4 is here,
  • Bro in the wild,
  • Bro internal.

Bro Meet-ups

BroCon'15 Agenda online

Still not registered for BroCon'15?
Please have a look on our updated agenda.
We are happy to announce that the inventor of Bro, Vern Paxson will give a keynote speech.

The deadline to submit your presentation is coming very soon,May 29th. We already have some exciting topics but there is for sure room for more. Send us your Bro story.

Bro Commits: Bro v2.4 is here

We are happy to announce the beta of Bro v2.4 is available for download! Here is a brief summary of new features and improvements:
  • Support for external plugins to extend core functionality.
  • Announcing the release of Broker: Bro's new communication library.
  • Major improvements to BroControl's reliability and error handling.
  • New analyzers: including SSH, DTLS, RDP, and MySQL.
  • File analysis supports reassembly of files not transferred/seen sequentially.
  • And, BroCut was rewritten in C to improve its speed.
Binary packages are also available.

See NEWS for preliminary release notes and CHANGES for the exhaustive commit list.

Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use.

Bro in the wild

In this category we list Bro related finds from the web. If you want us to list your Bro story here, please contact us via


Bro Internal

Friday, May 8, 2015

Bro 2.4 Beta

We are happy to announce the beta of Bro v2.4 is available for download! Here is a brief summary of new features and improvements:
  • Support for external plugins to extend core functionality
  • Announcing the release of Broker: Bro's new communication library
  • Major improvements to BroControl's reliability and error handling
  • New analyzers: including SSH, DTLS, RDP, and MySQL
  • File analysis supports reassembly of files not transferred/seen sequentially
  • And, BroCut was rewritten in C to improve its speed
Binary packages are also available.

See NEWS for preliminary release notes and CHANGES for the exhaustive commit list.

Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use.

Tuesday, March 10, 2015

BroCon '15 Call for Presentations

BroCon '15 is now accepting presentation proposals.  

This year is Bro's 20th Anniversary. To mark this special occasion we are looking for presentations that represent the diverse applications of Bro:

  • as a tool for solving problems;
  • interesting user stories, solutions, or research projects;
  • a postmortem analysis of a security incident, emphasizing Bro's contribution;
  • the value Bro brings to your professional work;
  • and, using Bro for more than intrusion detection. 
Send abstracts to: 
Subject: BroCon 2015 Call for Presentations 
Due Date: Friday, May 29th

Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments.