Bro Monthly #4

Welcome to the 4th Bro Monthly newsletter. This month we cover the following topics:

• Bro Meet-ups: our category for Bro related gatherings and groups,
• Bro teaching and training news,
• Bro Commits: 2.3.2 is released,
• Bro in the wild,
• Bro internal.

Bro Meet-ups

Bro4Pros

On 2/18 and 2/19 we had our first Bro workshop for advanced users, Bro4Pros at the OpenDNS headquarters in San Francisco. Thanks again to our hosts and especially to Dan Hubbard. The topics focused on practical Bro questions arising in everyday usage. They ranged from advanced Bro scripting to complex engineering when planning and setting up Bro in big networks. The small group size allowed us to go in depth and discuss detailed questions.

Kara Drapala from OpenDNS wrote a blog post about Bro4Pros. If you want to read the view of someone experiencing the Bro Team for the first time, read her article.

We thank all our speakers and presenters.

• Anthony Kasza of OpenDNS presented concepts and exercises focussing on DNS and its relationship to other protocols. Topics discussed include: how exploit kits make use of drive-by compromises, how malware implants use DGAs for obscuring command and control communications, and how passive DNS can fit into network detection strategies. Proof of concept Bro scripts implementing detection methods were demonstrated. The presentation encouraged others to author Bro scripts (even if just for experimental purposes) and showed how Bro’s scripting language can be used to extend the current capabilities of Bro.
  Slides posted here.
• Justin Azoff demonstrated ways to make Bro even more useful by visualizing its metrics. Using external tools in combination with Bro brings your Bro deployment to life and can help understand your network.
• Seth Hall showed an approach to matching files seen on the wire with VirusTotal and discussed why this may be a difficult problem to approach.
• Robin Sommer demonstrated how to make Bro even more powerful by extending it with dynamic plugins. If you want to get started you might find our documentation helpful. 
• Another talk by Seth Hall covered some of the pitfalls when scripting with Bro and how to avoid them. 
• Liam Randall and Alex Waher gave Lightning talks:
• Alex Waher presented his experience on using Bro in conjunction with viewssld to process encrypted traffic.
• Liam Randall presented two projects; Bro Top lets you stream your Bro logs to the browser for easy debugging and a real-time glimpse into whats being processed. The Intel Marketplace for Bro is a free feed manager for the Bro Platform that let’s from nearly 60 free open source feeds of intelligence and map them to collections of Bro sensors and is supported on 24 different *nix versions.
• Vlad Grigorescu gave a talk on “Verifying and troubleshooting your Bro Deplyment”.  Slides posted here, the companion script is posted here. 
• The second day was opened by Seth Hall discussing Bro internals. He showed how Bro approaches hard problems of edge cases in protocols with HTTP as an example. He walked through turning the raw event stream into a good logs and enabling a comfortable programming model to hide complexity.
• Josh Liburdi discussed methods of analyzing RDP traffic with Bro by introducing an RDP protocol analyzer. You find his slides here. To try it out go to Josh’s git repository.
• Seth Hall helped out again, demonstrating the new file reassembly feature coming in Bro 2.4 and other small changes to how files are handled.
• Closing with a bang: Aashish Sharma and Vincent Stoffer gave the last talk at Bro4Pros. They presented the impressive Bro setup implemented at the Lawrence Berkeley Lab. They are willing to share their slides with individuals. Please contact security@lbl.gov.

BroCon’15

We are happy to announce BroCon’15!

BroCon ’15 registration is now open. You may register here: https://www.regonline.com/brocon2015. We have reserved a block of hotel rooms for the event. For more information about hotel accommodations and other updates, see the event page: https://www.bro.org/community/brocon2015.html. 

If your organization is interested in sponsoring BroCon ’15,please contact us at info@bro.org.

Thanks for your continued support, see you in August!

Bro Teaching and Training

The Bro Teaching Community is for anyone who wants to teach Bro or use Bro for teaching. We provide a connecting point through a git-repository and a mailing list. We also used to have a weekly meeting. The Bro Teaching community lives from the input that comes form the community members. As we noticed decreasing activity in our weekly meetings we went through several changes to adapt to the real needs of the community. This is a continuing process. In order to make the Teaching Community more active and to further improve we invite everyone to send wishes and suggestions to either teaching@bro.org or directly to us via info@bro.org.

Bro v2.3.2 was released. Source distribution and binary packages are available on our downloads page. This release fixes the following vulnerabilities:

• Parsers generated by BinPAC may contain out-of-bounds memory reads due to insufficient validation of field lengths. Reported by John Villamil and Chris Rohlf – Yahoo Paranoids. (CVE-2014-9586)
• A DNP3 pseudo link layer length of zero may trigger an assertion or buffer over-read/overflow. Reported by Travis Emmert. (CVE-2015-1521)
• Some non-zero values for the DNP3 pseudo link layer length may cause a buffer over-read/overflow. Reported by Travis Emmert. (CVE-2015-1522)

We encourage users to review and install at their earliest convenience. For reporting security concerns and vulnerabilities, see: how to report a security vulnerability.

Bro in the wild

Bro Internal

Bro sends congrats to the Bro team at NCSA

@NCSAatIllinois @Bro_IDS team received technical excellence awards today and a bucket of clams for their hard work. pic.twitter.com/eUZWjm6gCW — Jon Schipp (@JonSchipp) January 28, 2015

Why Choose Bro?