Bro Monthly #3

Welcome to the 3rd Bro Monthly newsletter.
This month we cover the following topics:

  • Bro Meet-ups: a new monthly category for Bro related gatherings and groups,
  • Bro teaching and training,
  • Bro in research,
  • Bro in the wild,
  • Bro-active: current exploits, attacks, and how Bro can help, and other everyday Bro.

Call for news:

If you want to point us on anything that should be in the next monthly just let us know, send mail to or tweet it to @Bro_IDS.

Bro Meet-ups

This new category lists all meet-ups we hear of that are somehow related to Bro. If you send us the information we can list your event here. Just write to


OpenNSM aims to provide a place for network security analysts and those interested in information security with a network security and incident response focus to share tricks, solutions, work on projects, and other knowledge about the subject. We’re not aware of any other active NSM user groups in the United States, and have the ambitious goal of being a premier place for students, professionals, and hobbyists, from all over to share their research, tools, and techniques in a laid back and friendly environment. Remote attendance is available. Join the mailing list or Facebook group for meeting info.

They’ve had 3 presentations from Bro Team members so far and more to come!

More info:

Bro teaching and training


The Isolated, Scalable, & Lightweight Environment for Training is container system for teaching Linux based software with minimal participation and configuration effort. You can use ISLET to teach Bro by installing the BroLive! environment (‘make install-brolive-config’) after install ISLET.

Bro research


When developing networking systems such as firewalls, routers, andintrusion detection systems, one faces a striking gap between the easewith which one can often describe a desired analysis in high-levelterms, and the tremendous amount of low-level implementation detailsthat one must still grapple with to come to a robust solution. At thisyear’s Internet Measurement Conference (IMC) we presented a prototypeof “HILTI”, a platform that bridges this divide by providing much ofthe standard low-level functionality, without tying it to any specificanalysis structure.

We presented HILTI today at #imc14, an abstract machine for traffic analysis. Read the paper at

— The Bro Platform (@Bro_IDS) November 7, 2014

Beyond pattern matching: a concurrency model for stateful deep packet inspection

On modern multi-core processing platforms, intrusion detection systems need to scale across a large number of processing units–a challenge, as distributing their analysis must not come at the cost of decreased effectiveness in attack detection. At ACM’s Conference on Computer and Communications Security (CCS) we presented a novel domain-specific concurrency model that facilities concurrent traffic analysis by partionining input according to fine-granular analysis scopes.

At #ccs14 this week, we presented a concurrency model for stateful packet inspection. Read the paper at

— The Bro Platform (@Bro_IDS) November 8, 2014

Bro in the wild

"@mimeframe: How Facebook does Incident Response …" < Facebook uses @Bro_IDS Intel framework. NICE.

— Anthony (@anthonykasza) October 16, 2014

excited to share some of the work I've done at @CrowdStrike with the @Bro_IDS / NSM community. there's more to come.

— Josh Liburdi (@jshlbrd) October 30, 2014

@Bro_IDS Sandworm detection script released at let me know if you find any errors

— Stephen Hosom (@0xHosom) October 16, 2014



SSL continues to produce headaches, last month’s hick-up was a protocol mistake in SSLv3. 

To find SSLv3 servers in your Bro logs this line helps you:

cat ssl.log | bro-cut version id.resp_h | grep “^SSLv3” | awk ‘{print $2}’|  sort | uniq -c | sort -nr

Blog post: The SSLv3 #Poodle Attack & current SSL usage statistics from the ICSI SSL Notary:

— ICSI Notary (@ICSInotary) October 17, 2014

FireEye APT28

Here is the @Bro_IDS Intel file for the @FireEye APT28 Report. brought to you by @jayl0w #theyareinyourbase

— Toosmooth (@Toosmooth) October 28, 2014

Bro Passive DNS tool

Searching DNS logs became a lot faster with our Passive DNS tool for Bro. Check it out on GitHub

— The Bro Platform (@Bro_IDS) November 7, 2014

%d bloggers like this: