Bro News #6

Welcome to the 6th Bro not-monthly newsletter. We renamed Bro Monthly to Bro News. Instead of forcing a monthly newsletter we give you updates when there is really something to say. This time we cover the following topics:

  • End of Bro-year: Another year of the NSF project funding Bro has ended. Read about all the awesome things we’ve accomplished.
  • Bro Meet-ups: our category for Bro related gatherings and groups.
  • Bro Commits: Bro v2.4.1 is here. Get your improved Bro 2.4.
  • Bro Internals: Bro has joined Software Freedom Conservancy

End of Bro-year

Most of the things we do we are only able to thanks to the generous funding granted by the National Science Foundation. Each funding cycle is one year, and here we present some of the results of the ending Bro-year, including:

Engineering work

Here are some highlights of the engineering related achievements in the last year:

  • We developed a novel network control framework that provides Bro with a flexible, unified interface for active response, hiding
    the complexity of controlling heterogeneous network equipment behind a simple task-oriented API.

  • We finished and released the first version of Broker, Bro’s new communication layer.
  • We finalized Bro’s new plugin infrastructure that allows users and developers to more easily extend Bro with externally maintained functionality, loaded dynamically into Bro at startup in the form of shared libraries.
  • We added new protocol and file analyzers to Bro, implementing support for MySQL, Kerberos, RDP, PE, and SIP. We also overhauled the SSH analyzer, which is now extracting substantially more information, facilitating in particular a new detector that can reliably tell if an SSH login attempt was indeed authenticated successfully.
  • We substantially improved Bro’s file analysis capabilities, adding (1) support for reassembly of files transferred in chunks, and potentially across independent connections; and (2) redoing the way Bro identifies file formats.
  • We substantially extended Bro’s SSL/TLS/X.509 support,

    • Raising alerts for SSL connections that use old protocol
      versions, unsafe cipher suites, or weak keys.

    • Full support for record defragmentation.
    • Detection of SSL session resumption.
    • Many robustness improvements.
  • We rewrote the primary tool for analyzing Bro’s ASCII logs,
    bro-cut, in C (from previously awk), improving its performance by
    an order of magnitude.

  • We improved and extended Bro’s regression test-suite.

In addition to these larger efforts, we again carried out an extensive set of smaller improvements, fixes, and polishing across the whole code base. The NEWS file has a summary of what went into 2.4.

Bro Community Work

We worked with 14 institutions over the last year, providing different levels of support to help them start or imrpove their Bro setup. The main event was BroCon, our traditional 2.5 day annual conference for Bro users, located this year at MIT in Cambridge, MA. See Meet-ups section for more details.

We also hosted a smaller 1.5-day workshop, Bro4Pros, in San Francisco that we aimed specifically at advanced Bro users. The agenda is online. The workshop was hosted and sponsored by OpenDNS, which provided free facilities, catering, and publicity for the event.

We also provided a half-day Bro training workshop at the 2015 NSF Cybersecurity Summit for Cyberinfrastructure and Large Facilities. Again, please refer to the meet-ups section for more details.

As a side project, we continued deploying Bro as a distributed data collector for research purposes via the “ICSI SSL Notary” , which helps clients to identify malicious TLS certificates by providing a third-party perspective on what they should expect to receive from a server. The Notary has been operating for more than 3 years now, with now more than 3 million unique certificates (and other TLS features) extracted from more than 129 billion connections.

Bro Training

We continued and extended our efforts for training people on Bro. This included:

  • We advanced our live training environment, formerly called
    BroLive!, into the more general educational platform ISLET, an
    “Isolated, Scalable, & Lightweight Environment for Training”.

  • Our web-based sandbox for executing Bro scripts,, has been improved. Among other work, try.bro now allows for more
    detailed log inspection, and it provides the ability to run all
    Bro versions since 1.5 for comparing their specifics and

  • We added more videos to your YouTube channel continued to
    adjust our training material according to the needs of the community.

  • The first Bro challenge was presented at BroCon’15. We will continue the work on this topic.

Bro Meet-ups

BroCon’15 Celebrated 20 Years of Bro!

180 people joined us for 2.5 days of talks and demos at MIT, celebrating 20 years of Bro. Vern Paxson gave the keynote speech, summarizing the last 20 years of Bro, recalling its history. We had a great set of talk and demos this year which are finally available as videos on Youtube.

The exercise sessions were replaced by do-it-yourself exercises and a challenge. Keith Lehigh won the challenge. Thank you Keith. The challenge can be found here.

We hear you: Our survey this year told us that more than 90% liked the topics and their presentations (2 and 3 on the 0 to 3 scale), although some people are hoping for the training sessions to return in the future. Overall, we appreciate the very positive feedback we received, and promise to keep the opportunities for improvement in mind as we begin planing for BroCon 2016.

NSF Cybersecurity Summit 2015

Bro held a one day workshop at the NSF Cybersecurity Summit 2015.

Bro Commits: Bro 2.4.1 is here!

Bro 2.4.1 has been released. This release addresses a few potential DOS vectors using specially crafted connections. The release also contains minor updates to analyzers to reduce the number of messages in reporter.log. The source distribution is available on the download page. Users should be able to automatically update the package using their system package manager.
See CHANGES for the full list of changes in the release.
Since this is only a bug fix release, we encourage users to update at their earliest convenience.

Bro Internals: Bro has joined Software Freedom Conservancy

The Bro Project is excited to announce it has joined Software Freedom Conservancy (SFC), a non-profit organization that promotes and protects open source projects. To learn more about this decision, see our blog post.