Thursday, December 17, 2015

A New Bro Tutorial: Happy Holidays from the Bro Team

New Bro Tutorial

We are happy to announce our special present to the Bro Community: Our new interactive Bro Tutorial.

Based on try.bro.org this tutorial leads you step by step through the Bro Script Language and allows you to interactively run and change all examples. The first lesson is complete, more lessons are in the works.

Feedback and questions are more than welcome at info@bro.org.

We hope you enjoy our new little helper and wish you Happy Holidays.

Your Bro Team

Friday, December 11, 2015

Broker & CAF: An Interview with the Developers

With Broker as our new communication middle-layer, we set the foundation for more open and distributed deployments of Bro. Broker is the successor of Broccoli, with much more emphasis on asynchronous, distributed communication. Over the past decade, we learned that scaling network monitoring fundamentally requires load balancing. Bro cluster deployments are becoming mainstream, and Broker lays the foundation to harness them effectively.

Internally, Broker leverages CAF, the C++ Actor Framework, which lifts the actor model to modern C++ environments. We foster a close collaboration with the CAF developers, who have been very responsive and helpful so far. Recently, the team reached out to us for an interview, which you can find at their blog:


Stay tuned for more Broker-related updates in the future.

Thursday, December 10, 2015

Bro Receives $200K Grant from Mozilla

The Mozilla Open Source Support (MOSS) program has awarded the Bro Project a $200,000 grant to develop the Comprehensive Bro Archive Network (CBAN), a public repository for sharing 3rd-party scripts and plug-ins.

CBAN has been a proposed project for some time but requires more time and resources than we were able to dedicate to its development. This grant will allow us to acquire the people and hardware needed without sidetracking Bro's core development.

For members the community, CBAN solves the key challenge of helping people extend Bro beyond our provided scripts. Users will be able to easily share scripts, up-vote the best ones, and possibly have their scripts incorporated into Bro. Our hope is for CBAN to grow into a substantial repository, curated by the Bro community and its development team.

To learn more about the award and the other recipients, see Mozilla's blog post.

We thank the Mozilla Open Source Support program for its support.

Friday, December 4, 2015

OpenSSL security issue affecting Bro (CVE-2015-3194)

The OpenSSL Project today published a security advisory, that affects users of Bro that are using the X.509 certificate validation functionality of Bro. This functionality is enabled by default for cluster installations; it is not enabled by default when running Bro via the command line. Certificate validation is enabled by either loading the policy script protocols/ssl/validate-certs.bro or protocols/ssl/validate-ocsp.bro. To disable this functionality, make sure that none of these scripts are loaded in local.bro.

If certificate validation is enabled, an attacker can launch a DOS attack against a Bro installation. An attacker will be able to reliably crash all Bro nodes that use certificate validation and a vulnerable version of OpenSSL. The root cause of the OpenSSL bug is a null-pointer exception that occurs 
when parsing certain malformed X.509 certificates.

The issue affects OpenSSL 1.0.1 and 1.0.2 and was fixed in OpenSSL 1.0.1q and 1.0.2e respectively. If you use Bro and perform certificate validation, you should update as soon as possible.

To test if you are vulnerable, you can use our test certificate. If executing "openssl x509 -in cve-2015-3194-test.pem -noout -text" works without crashing, you should not be vulnerable.

The original OpenSSL security advisory is available at https://www.openssl.org/news/secadv/20151203.txt. It also contains a few other issues that are not directly applicable to Bro.