Wednesday, November 19, 2014

Bro Monthly #3

Bro Monthly #3


Welcome to the 3rd Bro Monthly newsletter.
This month we cover the following topics:
  • Bro Meet-ups: a new monthly category for Bro related gatherings and groups,
  • Bro teaching and training,
  • Bro in research,
  • Bro in the wild,
  • Bro-active: current exploits, attacks, and how Bro can help, and other everyday Bro.

Call for news:


If you want to point us on anything that should be in the next monthly just let us know, send mail to news@bro.org or tweet it to @Bro_IDS.

Bro Meet-ups


This new category lists all meet-ups we hear of that are somehow related to Bro. If you send us the information we can list your event here. Just write to info@bro.org.

OpenNSM


OpenNSM aims to provide a place for network security analysts and those interested in information security with a network security and incident response focus to share tricks, solutions, work on projects, and other knowledge about the subject. We're not aware of any other active NSM user groups in the United States, and have the ambitious goal of being a premier place for students, professionals, and hobbyists, from all over to share their research, tools, and techniques in a laid back and friendly environment. Remote attendance is available. Join the mailing list or Facebook group for meeting info.

They've had 3 presentations from Bro Team members so far and more to come!

More info: http://opennsm.ncsa.illinois.edu/

Bro teaching and training


ISLET


The Isolated, Scalable, & Lightweight Environment for Training is container system for teaching Linux based software with minimal participation and configuration effort. You can use ISLET to teach Bro by installing the BroLive! environment ('make install-brolive-config') after install ISLET.

https://github.com/jonschipp/islet
https://registry.hub.docker.com/u/broplatform/brolive/


Bro research


HILTI


When developing networking systems such as firewalls, routers, andintrusion detection systems, one faces a striking gap between the easewith which one can often describe a desired analysis in high-levelterms, and the tremendous amount of low-level implementation detailsthat one must still grapple with to come to a robust solution. At thisyear's Internet Measurement Conference (IMC) we presented a prototypeof "HILTI", a platform that bridges this divide by providing much ofthe standard low-level functionality, without tying it to any specificanalysis structure.


Beyond pattern matching: a concurrency model for stateful deep packet inspection


On modern multi-core processing platforms, intrusion detection systems need to scale across a large number of processing units--a challenge, as distributing their analysis must not come at the cost of decreased effectiveness in attack detection. At ACM's Conference on Computer and Communications Security (CCS) we presented a novel domain-specific concurrency model that facilities concurrent traffic analysis by partionining input according to fine-granular analysis scopes.


Bro in the wild




Bro-active


SSLv3


SSL continues to produce headaches, last month's hick-up was a protocol mistake in SSLv3. 

To find SSLv3 servers in your Bro logs this line helps you:

cat ssl.log | bro-cut version id.resp_h | grep "^SSLv3" | awk '{print $2}'|  sort | uniq -c | sort -nr


FireEye APT28


Bro Passive DNS tool


Friday, November 7, 2014

Using Bro to Build a Passive DNS Database

Searching DNS logs became a lot faster with the launch of our Passive DNS tool for Bro. It uses Bro's DNS logs to build a database that is more compact, and therefore a lot easier to search.
See how we did it by checking it out on GitHub.