Friday, October 10, 2014

Bro Monthly #2

Bro Monthly #2

Welcome to the 2nd Bro Monthly newsletter.
This month we cover the followoing topics:
  • Bro won a Bossie,
  • needs help,
  • the Shellshock incident,
  • new features in the Intel framework,
  • news on BinPAC++,
  • Bro in research,
  • Bro in the wild,
  • Bro on demand. Needs Help

Bro has changed -- and improved -- a lot during the last years. needs to keep pace with our developers and engineers, so we are looking for a web developer who can help us to give a facelift.

Please find all details on our jobs site.

Current Developments


The topic of the month was for sure the shellshock.
On September 24th the news went viral about a Bash patch that revealed a very bad vulnerability in Bash:
''...the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.'' [from]
In other words, this bug allows anyone to execute their own code on affected remote hosts, in some cases even as root.

A Bro shellshock detector was released September 25th by Broala.

If this is all news to you, please stop reading here!
Patch your system NOW and use the Bro detector to see if you were attacked. You are welcome to continue reading afterwards.

BinPAC++ Code Release

BinPAC++ is a next-generation parser generator that makes it easy to build parsers for network protocols, file formats, and more.
BinPAC++ is more than just a "yacc for protocols": it's an all-in-one system that enables developers to write attributed grammars defining both syntax and semantics of an input format inside a single comprehensive scripting language.

The BinPAC++ toolchain, built on top of HILTI, turns such grammars into efficient parsing code that exposes an well-defined C interface to its host application for feeding in input and retrieving results. At runtime, parsing proceeds fully incrementally—and potentially in parallel—on input streams of arbitrary size. Compilation takes place either statically at build time, or or just-in-time at startup.

You might have seen the name BinPac++ in the last Bro Monthly or even seen Robin Sommer's demo at BroCon'14. If not watch the video of the demo, get excited, and fetch the code from here.

Don't get too excited, though, because this is all still in prototype state, and not production-ready yet.

Intel Framework - New Features

Seth Hall published two new features for the Intel Framework this month:
  • The ability to extend the Intel log by handling the new Intel::extend_match event.
  • The ability to whitelist items with a new intel item field named "whitelist". If you want to start whitelisting intel items at runtime, you should create a new intel file with an extra "meta.whitelist" field and set the field value to "T" (there is a test that shows this). As you add elements to this intel file, those items won't show up in your log file.
Note that the script renames the intel.log to intel-ext.log.

Bro Research

Summary Statistics Framework

Last month, we presented our research paper on the Bro Summary Statistics Framework at the International Symposium of Research in Attacks, Intrusions and Defenses (RAID) in Gothenburg, Sweden. The Summary Statistics Framework allows the easy calculation of a wide array of statistics in real-time, independent for the underlying data. It is, e.g., used in Bro to detect port scans and brute-force attacks. It has a wide array of applications, like finding top traffic sources in your network, getting lists of the top DNS requests, etc.
For more details please Read the paper.

Heartbleed Study

Another research paper that was recently released is a measurement study about the Heartbleed SSL bug.
Among other measurement methods, the paper uses Bro to examine pre- and post-exploit network traces of several research institutions. The study used the Bro SSL analyzer to detect Heartbleed traffic in those traces.
For more details please refer to the publication.

Bro On Demand

Your call for better/more documentation is heard.
This month we improved the script language reference
and the documentation on the default logs.
We are constantly working on further documentation improvements.
Please use the community channels to let us know what is still missing in the

Bro In The Wild

BruCon 0x06 presents their findings reviewing their network
using Bro. For everyone who always wanted to know what weird.log is good for, we recommend this blog post.
They find a lot by analyzing weird.log.

NodeJS has started a nice project called nodejs that can help you to get more out of your Bro logs.
''The idea is to do processing events from BRO IDS in nodejs - this is a simple first step by parsing the bro log files
'online' and generate new events when any of the logs gets modified.''

Bro Plugins from the outside
Anthony Kasza (OpenDNS) wrote another Brolog entry, this time about his first experience porting a script to a plugin. We are always working on our documentation, but being a part of the Bro team sometimes conflicts with writing down the ''right'' things to help others using Bro.
If you have trouble getting started with Bro plugins, Anthony's approach from the outside might help you.

Note that plugins require the current development version of Bro.
There's also some initial documentation on our web site.

Bro Teaching Community

The Bro Teaching Meeting is moved from every Tuesday to every second Friday 10 AM PST, starting 10/10.
If you want to join the Teaching community to learn more about teaching (with) Bro and share your experiences, write to
The next Teaching Meeting will then be at 11/07 due to vacation.