Thursday, December 18, 2014

Bro Rewind 2014

Bro 2014

Welcome to the Bro monthly newsletter, which for the month of December features the Bro annual newsletter, recapping the events of 2014.
We will talk about:
  • Bro events in 2014. 
  • New resources for the community: 2014 the Bro community gained many new resources to learn, teach, and get help with using Bro. 
  • Bro impact: an overview of Bro's visibility and impact in terms of statistics and awards. 
  • Security is broken: highlights of the security breaches we saw in 2014. 
  • Bro dev: new developments, major releases.
  • Bro research: along with being a widely used NSM, Bro also both enables research and itself inspires research and innovation. 

Bro Events

  • Cybersecurity Summit 2014 — August 2014 
  • BroCon ‘14 — August 2014 
  • Floss Weekly — May 2014 
  • DOE Network Monitoring Group Meeting — May 2014, Lawrence Berkeley National Laboratory 
  • BSides Cincinnati — May 2014 
  • Troopers 2014 — March 2014. TalkBro: A Flexible Open-Source Platform for Comprehensive Network Security Monitoring.  Slides.
  • The Bro Team presented a members-only two-day Bro training workshop for the Department of Energy.

Bro Resources

Over the last year the Bro team continued to improve the usability of Bro, also in terms of resources, such as documentation. In this section we want to focus on new developments.

Bro Center of Expertise

The Bro Center of Expertise is a central point of contact for institutions funded by the National Science Foundation (NSF) that bundles the Bro Team’s expertise and offers it to NSF-supported sites seeking advice.

The Center provides the umbrella for many of the efforts we discuss in the following.

The More You Bro

The More You Bro is a series about various features of Bro, taught in the format of a hands-on tutorial. The episodes are intentionally brief to keep the content focused and approachable to new learners. Interested in suggesting a topic? Send us an email at or Tweet us @Bro_IDS.

The Bro Teaching Community

The Bro Teaching Community aims to create a knowledge base and resource collection for educators, ranging from example curricula and slide sets to exercises for all purposes and skills levels. By coordinating and synchronizing existing and future teaching efforts, we want to help share materials, and exchange “lessons learned” from different settings. With members of the core Bro team involved, the Community also helps with technical questions and provides guidance on using Bro effectively.

The Bro Teaching Community offers a bi-weekly meeting as well as access to a restricted git repository where we collect reusable teaching material. In the meetings we discuss possible curricula, technical problems, and other related topics.  The Bro Teaching Community is a collaboration of the Bro core team and interested university faculty.

Get in touch via

The Bro Playground

Teaching, learning, and testing are activities that are sometimes hard to distinguish. They all need a non-disruptive space to enable exploration without risking harm to productive systems.

In 2014 the Bro team released two new tools that allow you and your students to explore Bro in a safe way.

Bro Live!

Bro Live! is a training system that gives users hands-on access to a Bro learning environment without having to install a virtual machine and deal with associated dependencies. Bro Live! can be built with exercises for a given class or workshop, with access to the environment limited to the duration of the event if desired. All the user needs is an SSH client and Internet access.

Bro Live! is a Linux-based sandbox system, relying on Linux containers, OpenSSH, and Docker. It places the user in their own isolated environment with shell access to Bro, the exercises, and the standard Unix toolset. The user's work is saved in their container typically for the duration of the training event and can be easily re-attached at anytime during the event to continue their work.

To use Bro Live! download it from Github.


The work on Bro Live! led to the development of ISLET.

ISLET, the Isolated, Scalable, and Lightweight Environment for Training, is a platform used to teach Linux-based software that reduces the administrative overheard of building training environments and ensures a smoother training experience for users than comparable virtual appliance-based training. We intend ISLET to provide an improved replacement to event training that relies on virtual machines. It excels at quickly providing user's with shell access to containers to play with network security and other Linux based tools.

The official BroLive! training image works with ISLET, and we launched a precursor at BroCon14.

Try.Bro is a web-based scripting sandbox made freely available to users on our site. No login. No installation. No trouble.

We have included a few basic scripts and pcaps to help users get started. Users can paste their own scripts or upload their own pcaps. The environment includes version control to test your scripts against current or previous versions of Bro. In addition, Try.bro caches a user's work and generates unique URLs to enable sharing with others. No more copying and pasting scripts or log files, just send the link. We store code fragments for three days and pcaps for one hour, resetting the timeout when the link is used.

Bro Impact

Since the make-over of Bro in 2012, which specifically targeted better usability for production deployments, Bro has attracted more users every year. All the Bro 2.x releases were enabled by an NSF award that ended in 2014, with the NSF Center now continuing that work. 

With the number of users, the number of contributors and third party scripts and extensions grew as well. In this section we sketch these developments.

InfoWorld awarded Bro a 2014 "Bossie Award" in the category "The best open source networking and security software", and they also included Bro into their list of "11 open source security tools catching fire on GitHub". Indeed, Bro is at the top of GitHub's security showcases list now and has more than 640 stars.

We typically see about 10,000 direct downloads per version from our main server.  These tend to come from a couple thousand unique ASNs across about 150 countries. These numbers do not include downloads from GitHub, nor what has arguably become the most common way for new users to get started with Bro: Security Onion, a Linux-based live DVD environment tailored to security monitoring, which includes Bro as a key component.

During the recent years attendance at our annual Bro user meetings grew from originally 30-50 people to 150 attendees from 60 different institutions at the 2014 event.

Our Twitter account shows almost 3,000 followers, and the main Bro mailing list now reaches close to 1,000 people.

Security is Bro-ken

2014 saw a number severe security incidents, many of them concerning TLS/SSL. Here is a collection of some of the most important cases.


The Heartbleed vulnerability in the widely used OpenSSL library can reveal memory contents of processes running OpenSSL, which can include highly sensitive data such as encryption key material. Due to the ease of exploiting it and the large number of vulnerable servers, the vulnerability was very widely reported, and represents one of the most serious security problems in the Internet this year. Bro includes a thorough detection script that can alert users if Heartbleed exploits are performed on their network.

To enable Heartbleed detection, load the policy/protocols/ssl/heartbleed.bro script.  If you use broctl, it will be loaded by default in a new installation using this branch. If using Bro on the command line, e.g., to read a trace, specify it directly:

bro -r [trace] policy/protocols/ssl/heartbleed

As usual, Bro will write the corresponding notices to notice.log.


Another significant vulnerability was first "announced" a patch message.  On September 24th, news went viral about a Bash patch that revealed a very serious vulnerability in Bash: ''... the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.'' [source]

In other words, this bug allows anyone to execute their own code on affected remote hosts!  Even worse, if a vulnerable server runs as root, an attacker exploiting the vulnerability can immediately, and trivially, acquire full control over the server's system.

A Bro Shellshock detector was released September 25th by Broala.

SSLv3 - Poodle

SSL headaches were still not done for the year. October saw the discovery of a protocol flaw in SSLv3.  To find SSLv3 servers in Bro logs:

cat ssl.log | bro-cut version id.resp_h | grep "^SSLv3" | awk '{print $2}'| sort | uniq -c | sort -nr

Blog post: The SSLv3 #Poodle Attack & current SSL usage statistics from the ICSI SSL Notary  ( — ICSI Notary (@ICSInotary) October 17, 2014.

Bro Dev

During the last year Bro was developed further and extended. This section presents a snippet of the coding news from the Bro universe.

Bro 2.3

The release of 2.3 freed Bro from its dependency on Libmagic. The release brought (among other things) new SSL functionality, e.g., to detect the Heartbleed vulnerability; analyzers for SNMP and Radius; and extended capabilities for PF_Ring.

Users still operating on 2.2 go can find out what's exciting about 2.3.

Packet Bricks

We are happy to announce an initial prototype of Packet Bricks, a new Bro-related project written by Asim Jamshed from KAIST, who visited the Bro team in Berkeley over the summer.

Packet Bricks - which is still under active development - is a Linux/FreeBSD daemon that is capable of receiving and distributing ingress traffic to user-land applications. Its main responsibilities will eventually include: (i) load-balancing, (ii) duplicating, and/or (iii) filtering ingress traffic across all registered applications. The distribution is flow-aware (i.e., packets of one connection will always end up in the same application). Packet Bricks leverages the netmap packet I/O framework for handling packets efficiently, and employs netmap pipes to forward packets to user-land applications.

Packet Bricks is available on github. It's still a very early piece of software, and we announce it at this time primarily for users willing to help us collect some first experiences with it. If you have any feedback, please send it to the Bro development mailing list. If you aren't subscribed yet, do so here.

Bro Research

Bro's powerful capabilities to analyze traffic makes it a powerful research tool, as well as itself serving as a domain for research.

BinPAC++ Release

In the context of ICSI's ongoing research projects, we developed a prototype of BinPAC++.

BinPAC++ is a next-generation parser generator that makes it easy to build parsers for network protocols, file formats, and more.  It provides a comprehensive system that enables developers to write attributed grammars defining both syntax and semantics of an input format inside a single comprehensive scripting language.

The BinPAC++ toolchain, built on top of HILTI, turns such grammars into efficient parsing code that exposes a well-defined C interface to its host application for feeding in input and retrieving results. At runtime, parsing proceeds fully incrementally—and potentially in parallel—on input streams of arbitrary size. Compilation takes place either statically at build time, or just-in-time at startup.

You might have seen Robin Sommer's demo at BroCon'14. If you want to try it out, you can fetch the code, though keep in mind that it is still a prototype and not yet production-ready.

Bro Related Publications

Here is an overview of this year's research output. The list contains publications of Bro team members but also external publications that use or extend Bro for their work. Please note that we do NOT know if this list is complete, there might be more publications out there and you are invited to let us know about each of them.

You can find a more complete list of Bro-related publication here

No comments:

Post a Comment