
The Bro Network Security Monitor - X4
http://www.bro.org/
======
eldavido
I did a ton of work with bro in graduate school, including extensive
collaboration with Robin Somer, one of the project's architects. Bro is a
great product, written primarily in C++, which parses protocols and passes
events about those protocols up to a set of user-definable handlers. It's been
used to study protocol parsing, intrusion detection, and a lot of other topics
in network security.

Funny, I was just telling my girlfriend this morning how the US doesn't have
many free-standing "research institutes" a la Germany's Max Planck institute,
but bro, having been produced by ICSI, came out of one of the best academic CS
labs in the US, if not the world -- the International Computer Science
Institute.

~~~
eldavido
Incidentally, a big part of my thesis was studying DNS parsers and how network
vulnerabilities can be expressed and tracked. It turns out to be an
interesting language design problem. One of our papers, "VESPA", the
"vulnerability signatures parser", proposed a DSL-like design for describing
vulnerabilities using a minimal C++ syntax.

This is a very rich area of research and one I'd like to apply some of my
recent high-scale stuff I've done at work on. bro was doing event-based
processing in pure C++ long before node.js existed (some 10 years ago) --
these guys are really, really smart.

------
dang
For some reason, this article was rather heavily flagged. I've overridden
that, because the project looks serious and credible. Are people just reacting
to the title, or is there something else wrong with this story?

~~~
jimminy
It's kind of hard to take them seriously, when the usage of 'bro' has become
so unserious. And then they use their name in situations where 'bro' would be
used for humor, e.g. BroCon '14, The More You Bro (on their Youtube account).

It's just a mess. The tech looks interesting though, but it's really hard to
take them seriously because of the name they chose.

Edit: Why is this getting downvoted? I pointed out my reaction to the title. I
had never heard of it before so had no connection to their writings from 15
years ago. P.S. I didn't flag it.

~~~
dang
Their email archive goes back to 1998. Presumably the name wasn't a troll 15
years ago?

~~~
Tokala
It is a reference to ``1984" and Big Brother. Their naming choice was
mentioned in the original paper about it from 1999:
[http://www.icir.org/vern/papers/bro-
CN99.html](http://www.icir.org/vern/papers/bro-CN99.html)

------
awakened
Many on HN may not realize, but there are miniature NSA groups in most every
organization in the USA. Universities, non-profits, small corporations, local
governments, etc. If they have an IT Security group, then they are likely
spying on IP connections.

They use Bro, Snort, Suricata, Argus and other tools to record metadata about
every IP connection that comes into or leaves their networks. Some of them
terminate SSL connections and forge certificates. A few of them even drop
encrypted protocols that they are not able to decrypt and inspect.

They use taps and/or SPAN ports to do the spying.

Most of them try to keep this activity quiet. This mentality is pervasive and
it is everywhere (especially in USA based organizations). Everyone should be
aware.

No one is safe from this spying, even senior management and tenured faculty
connections are being inspected and recorded for later use if needed. They
just don't know it.

~~~
iancarroll
This post lacks citations, stories where this has been outed, and just seems
like bullshit in general.

~~~
wyager
Well, I have some evidence in support of what he says (at least, that
universities log connections). My university, of some 48,000 students (in
2010), logs 100% of all connections. I know, because I have seen the data.
It's provided to researchers with the IPs replaced by some other persistent
identifier (which they hopefully generated randomly). You can see IP
addresses/domain names, and I think they might have also had URL data for http
connections (although I'm not sure on that one).

They also emailed and temporarily disconnected all students who were running
servers vulnerable to heartbleed, so presumably they do some form of more
intensive inspection and logging as well.

~~~
ams6110
Because most universities have pretty wide-open networks with high bandwidth,
they do monitor for illegal, commercial, or malware activity on their
networks. They don't want to get blacklisted as spammers among other things.
They are also highly concerned about possible exposure of sensitive student
personal and research data and some have started auto-encrypting emails that
appear to contain such.

~~~
wyager
Why do they keep old logs if they're just monitoring for
illegal/commercial/malware stuff?

And if they were very concerned with exposure of sensitive data, they wouldn't
be logging it.

~~~
ams6110
They keep the logs so they can use them in after-the-fact investigations, and
for research.

~~~
wyager
>and for research.

That's not the same thing as "monitoring for illegal/commercial/malware
activity".

~~~
shawnreilly
In some cases, research does relate to identifying Security Threats. This
mostly relates to layer 7, which is much more complex than ports and protocol
based detection. The idea is; if you don't know what you're looking for
(presumably a 0-day or unknown threat), then how would one find it? The answer
is, research (aka analyze) the data. This ranges from Flow Data (which can
date back months/years) to Packet Captures, to even Real Time Deep Packet
Inspection (all relating to SIEM Solutions). In these scenarios, you would be
looking for the needle in the haystack, but the needle is not clearly defined.
You would have to work to identify and define it. So research does relate to
identifying illegal/commercial/malware activity. Organizations that understand
this are working towards implementing (or have already implemented) real time
adaptive security models to mitigate these threats. This will allow them to
not only identify and attempt to stop unknown Security Incidents, but also
effectively investigate Incidents (forensics).

------
rdl
What's the simple comparison between Bro and Snort?

~~~
adricnet
Snort is a rule based IDS/IPS and BroIDS is a policy based IDS. In their
default configurations rule based IDS reacts (alerts, blocks) based on the
rules loaded where policy based systems like BroIDS interpret the traffic they
see and can react to kinds of traffic if configured.

In practice Snort (Suricata, etc) can read, understand and react to individual
streams on the wire very quickly. This is especially important for intrusion
prevention (IPS) inline.

BroIDS (prelude, etc) generate detailed logs and highlight interesting traffic
(as configured) and are excellent for gathering intelligence. One of the
recently popular features of BroIDS is to decode and save to disk all files in
traffic it sees, checking the hashes of those files against blacklists as it
goes.

If you are at all interested in these systems you should try out Security
Onion at www.securityonion.net, an awesome pre-configured Linux with many
network security monitoring (NSM) tools already installed including Snort,
BroIDs and many many others.

------
mkr-hn
The submitted link doesn't tell me much about this.

------
kaeruct
this is sexist!!

