Wednesday, November 30, 2011

Bro Language Cheat Sheet

You asked for it, we created it. The Bro language cheat sheet is now available from our community presence at github: This document describes the scripting language on a single page, and also provides a solid reference of the most important built-in functions. Print it and place it next to your cup of coffee, as you are now equipped to write the next APT detector in Bro.

We provide the source code of the cheat sheet, which comes with a Creative Attribution-NonCommercial-ShareAlike license. This means you can adapt and redistribute it for non-commercial purposes as long as the attribution remains intact. If you feel that the document could be improved, we encourage you to use the proven github model of forking, udpating, and creating a pull request.

To whet your appetite, check out the two screen shots of the first two pages below. Enjoy!

Main page

Main page

Wednesday, November 16, 2011

Bro Workshop 2011 is Sadly Over

Last week we held our first workshop since the full team came together for the NSF grant and I felt like the workshop went very well. It was by far the largest workshop in terms of attendance, I think we had over 55 people in the room most of the time!

Personally, it was great to get a chance to put so many faces to names. I've communicated with many people but had the chance to meet far too few. In particular I was excited to see the growing interest in Bro from the incident response community. We've really pushed Bro with the 2.0 release to be well tuned and relevant for security operations straight "out of the box". Now I'm looking forward to learning and helping with new deployments in 2012 and more questions about networks that we could help answer with Bro.

Speaking of answering questions about networks, there was a particularly interesting occurrence on the second day. The entire day seemed to revolve around the idea of asking questions about networks and getting real answers. Everything revolved around this; the exercises, the presentations, even the invited talks given by incident responders. I've been pushing for this as part of the approach to Bro for a long time since Bro is a great tool for answering questions so I'm really happy to see others using Bro in a similar way. Now that the 2.0-beta is released and 2.0-final is approaching, I will begin posting snippets and full scripts soon that help you answer questions about your own networks. There are so many questions, and so little time.

I would really like to thank everyone who listened to my pleading to attend the workshop and those whom I didn't even need to plead with. You all added to my experience of the workshop and opened my eyes to new ways of thinking about how Bro can and should be used. I hope you got as much from the workshop as I did.

Finally, I wanted to mention that all of the material from the workshop (video, exercises, slides) will be released very soon and we will be sure to do another quick blog post when it's available.

That's enough writing, now back to coding and documentation...

Friday, October 28, 2011

Public Beta of Bro 2.0 Released

We are very excited to announce a public beta of Bro 2.0. For more than a year, we have worked on some of the most substantial changes that Bro has ever seen. We are very pleased with the result, and would like to invite everybody to give it a try at this time so that we can identify and address any quirks that might still remain. The beta version is now available for download.

As the version number jump suggests, this is a major update that looks quite different from previous 1.x versions. While internally, there's actually not that much that has changed—besides some new functionality, some stale one that's been removed, and lots of bugfixes—at the user-level, Bro 2.0 looks completely different. We pretty much rewrote all default policy scripts that ship with the distribution, focusing more on operational deployment than in the past. The new Bro does much more out of the box now, and it's also quite a bit easier to customize and extend its processing. The one thing you'll probably notice first is the completely overhauled logging output: every log file is now well structured into typed columns that are easily parseable with other tools.

We're still working on further documentation for all the new stuff (and the old one as well), but to get you started, there's a new quickstart guide, an upgrade guide for users coming from 1.5, and a number of further documents that focus on areas like reporting, logging, and cluster deployment.

If you give the beta a try, please let us know how it goes. The best way to report any problems you may encounter, or suggest further ideas you have, is the issue tracker.

We emphasize that we do not recommend the beta version for production usage at this time; better to wait for the final release with that. Please also note that while a lot of effort went into Bro 2.0, we had to postpone work on some areas to future versions. In particular this concerns Bro's support for IPv6, which is still mostly at the 1.x state (and thus quiet basic and somewhat fragile). Improving that will be a top priority for 2.1.

Tuesday, August 2, 2011

Bro Workshop 2011

We are happy to announce that we have just opened registration for the 2011 Bro Workshop. It's going to be held at NCSA in Urbana, IL from November 8th to November 10th. This workshop should be interesting since it will be the first chance where we will teach and explain all of the changes we have brought to Bro in the past year.
For more information and the link to the registration form, please visit our workshop information page.

Thursday, June 16, 2011

New Web Server is Live

We are happy to announce that a completely new web server for the Bro project is now live. Switching to the new server also completes our move to some further new infrastructure components such as git repositories, a modernized tracker,  new development mailing lists, a Bro Twitter account, and of course this blog.

The old server (and Wiki) will remain accessible for a while but its content is kept only for reference at this point and no longer  maintained.