Bro Monthly

Welcome to the 1st Bro Monthly, our new monthly newsletter covering the latest developments in the Bro universe. This newsletter will appear every month, around the 15th, as a Bro blog post.
Please send feedback, wishes, and suggestions to or @Bro_IDS on Twitter.



BroCon’14  was held at NCSA from August 18th – 20th.
This year we received almost 150 attendees, our largest Bro event ever!

At this point we want thank again our sponsors:
Arista, Northrop Grumman, NSF, Reservoir Labs, and Security Onion Solutions.
A big thank you goes to NCSA who helped organizing the event.

We had great talks, presentations, and demos:

  • BroCon was opened by Adam Slagell, introducing the Bro Center of Expertise , an NSF project that enables a lot of new developments in the Bro universe,
    such as Bro Live! and Try.Bro (see below).
  • Nick Buraglio from ESnet talked about “Best practices for securing the science DMZ”.
  • Bob Rotsted from Reservoir Labs discussed the “Value of context when detecting adversaries”.
  • Johanna Amann from ICSI presented the new SSL analyzer in Bro 2.3 that is also capable of detecting the Heartbleed exploit.
  • Michael Pananen from Vigilant Technology Solutions showed how he automated Bro’s installation, upgrade, and configuration using puppet.
  • Kurt Grutzmacher from Cisco Security Solutions presented OpenSOC, a Hadoop solution to extend Bro’s ingestion capacity to 1.2 million packets per second and more.
  • Aashish Sharma gave some very entertaining insights into his day-to-day work fighting off attacks at LBNL.
  • Matthias Vallentin from ICSI introduced VAST (Visibility Across Space and Time), a large-scale network forensics platform.
  • Robin Sommer’s (ICSI/LBNL/Broala) live demonstration of the new BinPAC++ parser generator was one of the most resonating contributions. He implemented a full protocol parser in less than half an hour in front of the audience.
  • To conclude the day Seth Hall (ICSI/LBNL/Broala) talked about the future of Bro, giving insights into long term and short term plans.
  • The third day was opened by Bob Bregant from the University of Illinois, who talked about how Arista’s “DANZ” software can be used in combination with Bro to balance the costs when monitoring large high speed networks, working around problems arising from aggregation and traffic splitting.
  • The third day was wrapped up by a panel discussion in which the audience had the chance to pick the Bro team’s brains about their visions for the Bro project.

Apart from the talks and demos we had five exercises ranging from beginner level to quite advanced scripting challenges. The exercises can be found at the event site of BroCon’14 . The solutions will be given out on demand. Please contact

The videos of most of the BroCon’14  talks are now online. The Bro team respects the privacy preferences of our speakers, so when a speaker opted to not being recorded, we do not offer a video of the talk.

2014 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure

The CTSC Summit was held in Arlington, VA on August 26th – 28th.

The Bro team presented a one-day training to a smaller group of attendees affiliated with NSF projects.  The training consisted of a couple exercises from BroCon ’14 as well as some presentations.

Robin Sommer also gave an overview of the Bro Center of Expertise at the main event on August 27, 2014, in which he presented our latest efforts for making Bro more accessible to the community, and enable people and institutions to use Bro more effectively.

Bro Commits

Bro 2.3.1

Bro v2.3.1 has been released. This release addresses a potential DOS vector using specially crafted DNS packets. It also fixes a bug in the OCSP validation code that could lead to crashes as well as a memory leak. The source distribution and binary packages are available on our downloads page. See CHANGES for the full commit list. Since this release addresses a bug fix, we encourage users to review and install at their earliest convenience. Feedback is encouraged and should be sent to the Bro mailing list .

Bro’s new dynamic plugin infrastructure

Any who has tried to add a new protocol analyzer to Bro will havenoticed that so far that has required touching a lot of pieces of Bro, as well as a complete rebuild of the Bro code base. We have just added a new comprehensive plugin infrastructure to Bro that makes this process much easier by allowing to write protocol analyzers externally, without *any* changes to the Bro core, by compiling them into a shared library that Bro will then load at runtime.  That way, the custom code remains self-contained, and can be maintained and installed independently.

This new infrastructure is in fact not limited to protocol analyzers, but supports other components of Bro as well. Developers can now use plugins also to provide custom file analyzers, log writers, input readers, packet sources and dumpers, as well as new built-in functions. For more information, see the introduction to writing Bro plugins.

Packet Bricks

We are happy to present an initial prototype of Packet Bricks, a new Bro-related project written by Asim Jamshed from KAIST, who visited the Bro team in Berkeley over the summer.

Packet Bricks – which is still under active development – is a Linux/FreeBSD daemon that is capable of receiving and distributing ingress traffic to userland applications. Its main responsibilities will eventually include (i) load-balancing, (ii) duplicating and/or (iii) filtering ingress traffic across all registered applications. The distribution is flow-aware (i.e., packets of one connection will always end up in the same application). Packet Bricks leverages the netmap packet I/O framework for handling packets efficiently, and employs netmap pipes to forward packets to userland applications.

Packet Bricks is available on github. It’s still a very early piece of software, and we announce it at this time primarily for user’s willing to help us collect some first experiences with it. If you have any feedback, please send it to the Bro development mailing list. If you aren’t subscribed yet, you can do so here.

Bro On Demand

@runasand: @Bro_IDS Hey, could you please enable SSL by default on your website?” < Done.

— The Bro Platform (@Bro_IDS) September 8, 2014

Bro Teaching and Trying

In August we launched three new projects that aim at helping the Bro community use, learn, and teach (with) Bro.

The Bro Teaching Community

We are happy to announce the newly started Bro Teaching Community, a community project of educators interested in collaboratively exploring Bro’s use as a teaching tool, and sharing experiences and material. The goal is to create a knowledge base and resource collection for educators, ranging from example curricula and slide sets to exercises for all purposes and skills levels. We provide logistics and technical advice, e.g., weekly calls, a mailing list, a repository with seed material, and access to the Bro team. To learn more please visit our Teaching Site.

The Bro Playground

The Bro Playground  is a new part of the Bro Community resources.

It is a collection of tools and toys to assist you.

Whether you want to teach Bro, use Bro for teaching others, teach yourself, or try something out “quickly” without impacting your live system, this is the place to look for the right tool for your use case.


Try.Bro – as simple as that!

Try.bro is a web-based Bro scripting sandbox made freely available to users on our site

No login.
No installation.
No trouble.

We have included a few basic scripts and pcaps to help get you started. You can paste your own scripts or upload your own pcaps, too. We even included the option of chosing different Bro versions to test your scripts against current or previous releases. And, last but not least, Try.bro temporarily caches your work and generates a unique URL to share with others. No more copying and pasting scripts or log files, just send the link. We store code fragments for three days and pcaps for one hour. The timeout is reset when the link is used.

To learn more please refer to the blog post.

Bro Live!

We are excited to announce the public release of Bro Live!

Bro Live! is a training system that gives users hands-on access to a Bro learning environment without having to download a virtual machine or its required dependencies.  Bro Live! may be built with exercises for a given class or workshop and access to the environment may be limited to the duration of the event. All the user needs is an SSH client with access to the Internet.

Please read our latest Blog post.

Cool Stuff

Exfil Framework by Reservoir Labs

Robert Rotsted from Reservoir Labs posted on the Bro mailing list about the new Exfil Framework.

“The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).
The scripts are located at: