Hacker News new | past | comments | ask | show | jobs | submit login
The Bro Network Security Monitor (bro.org)
80 points by X4 on May 10, 2014 | hide | past | web | favorite | 37 comments

I did a ton of work with bro in graduate school, including extensive collaboration with Robin Somer, one of the project's architects. Bro is a great product, written primarily in C++, which parses protocols and passes events about those protocols up to a set of user-definable handlers. It's been used to study protocol parsing, intrusion detection, and a lot of other topics in network security.

Funny, I was just telling my girlfriend this morning how the US doesn't have many free-standing "research institutes" a la Germany's Max Planck institute, but bro, having been produced by ICSI, came out of one of the best academic CS labs in the US, if not the world -- the International Computer Science Institute.

Incidentally, a big part of my thesis was studying DNS parsers and how network vulnerabilities can be expressed and tracked. It turns out to be an interesting language design problem. One of our papers, "VESPA", the "vulnerability signatures parser", proposed a DSL-like design for describing vulnerabilities using a minimal C++ syntax.

This is a very rich area of research and one I'd like to apply some of my recent high-scale stuff I've done at work on. bro was doing event-based processing in pure C++ long before node.js existed (some 10 years ago) -- these guys are really, really smart.


The large number of "think tanks" which are often funded through a diverse set of grants (RAND, MITRE)

ISI? (the one at USC which invented a lot of the Internet, not the one funding Al Qaeda)

Cheap access to grad students and assistant professors, as well as access to USG funding (and easy visas), probably pushes a lot of this into university affiliated or university departments.

For some reason, this article was rather heavily flagged. I've overridden that, because the project looks serious and credible. Are people just reacting to the title, or is there something else wrong with this story?

As mavam said earlier: (Disclaimer: Bro team member).

For a project named "Bro", I believe that we have a very open and inclusive community. We do play with the word a lot but it's all in the name of fun and very convenient since the name lends itself toward so much word play. There have been times where people have started to use it in the more modern pejorative sense and we've actively yet quietly made it stop. None of us on the core team like that behavior and with the name "Bro" we have to be extra careful with how it's used within the community.

There has been a number of women that have passed through our community and several that are actively involved at the moment (I could say the same about men, our team isn't very large).

I really like that people on this thread have been digging quote out of Vern's original paper about the lineage for the name. That's easily the best response to all of the "Why Bro?" questions.

I'm sorry that more people won't see this comment. I only noticed it because I was taking one last look through old threads for replies.

Fortunately, there was at least some good discussion of the substance here!

Last time that I can recall a project containing "bro" in its title was on here, it was derided for excluding women and discouraging them from entering the tech industry.[1]

[1] https://news.ycombinator.com/item?id=7121717

I think you're right, and if so these are some pretty lazy people doing the flagging. This project clearly has nothing to do with any modern connotations for the word "bro."

I helped employ women over men, when I saw that they were eager to learn. The reasons for that were simple, I believe that diversity helps to increase the efficiency of a team and that large monolithic,hierarchical,homogenic teams should be abandoned. Why are people so sensitive about some words? I thought I can't understand until I heard about the word "no-homo" last week. THAT was the most absurd word I've heard in my lifetime. As a kid I had zero problems kissing my best friend (on the cheek), regardless of sex and I'm straight. There's nothing wrong about it, but "normal is relative and time-variying".

When I was in the position to scan and choose between many hundreds of job applications and even on a mid-sized start-up, where only a few applications went in. No I am NOT a HR Person, absolutely not, but they asked me to do it, so I did that too.

EDIT: Not sure why this earned a downvote, but to your information there is no law forcing companies to let a % of women in for example (in the country I live).

maybe automatically flagged because the word "bro"

It's kind of hard to take them seriously, when the usage of 'bro' has become so unserious. And then they use their name in situations where 'bro' would be used for humor, e.g. BroCon '14, The More You Bro (on their Youtube account).

It's just a mess. The tech looks interesting though, but it's really hard to take them seriously because of the name they chose.

Edit: Why is this getting downvoted? I pointed out my reaction to the title. I had never heard of it before so had no connection to their writings from 15 years ago. P.S. I didn't flag it.

From their white paper:

> "Our monitoring system is called Bro (an Orwellian reminder that monitoring comes hand in hand with the potential for privacy violations)"

So Big Brother = Bro

How ironic that the thought police choose to flag a 1984 inspired tool :)

Quite fitting, really.

It doesn't even make sense because the modern usage is almost exclusively a pejorative term that is only used for some subset of white men. If you look through urban dictionary or YouTube, you'd be have to scroll a pretty long time to see any other usage. Saying that women are discriminated against because they can't be called bros is like saying white people are discrimated against because they can't be called racial slurs for African Americans.

Their email archive goes back to 1998. Presumably the name wasn't a troll 15 years ago?

It is a reference to ``1984" and Big Brother. Their naming choice was mentioned in the original paper about it from 1999: http://www.icir.org/vern/papers/bro-CN99.html

Fair enough. I'm guessing it was people reacting to the title.

Many on HN may not realize, but there are miniature NSA groups in most every organization in the USA. Universities, non-profits, small corporations, local governments, etc. If they have an IT Security group, then they are likely spying on IP connections.

They use Bro, Snort, Suricata, Argus and other tools to record metadata about every IP connection that comes into or leaves their networks. Some of them terminate SSL connections and forge certificates. A few of them even drop encrypted protocols that they are not able to decrypt and inspect.

They use taps and/or SPAN ports to do the spying.

Most of them try to keep this activity quiet. This mentality is pervasive and it is everywhere (especially in USA based organizations). Everyone should be aware.

No one is safe from this spying, even senior management and tenured faculty connections are being inspected and recorded for later use if needed. They just don't know it.

I think this comment is quite misleading. Your average IT Security Group within an organization is not a 'miniature NSA group'. The difference is where Data is collected and monitored.

Your average IT Security Group is focused on their own Internal network. This includes all Internal and External Traffic/Communication going to/From the Internal Network. The reality is, most Security Threats come from an internal source [1]. So yes, your average IT Security Group is interested in monitoring, analyzing, and sometimes dropping internal Traffic. This allows the Organization to track and respond to Data Breaches and Security Incidents. The overall insinuation of this comment seems to be that this is Evil and a Violation of your Privacy (Spying!). But if you've ever worked with (or used Services provided by) any Organization that has a handle on Security, you've likely signed a User Agreement Form (or similar), which clearly states what is going on. So nothing is hidden, and when you think about it, this is a logical reaction to the realities of Security in today's Digital Age. If you can't trust people, then it makes sense to implement checks and balances. Instead of thinking about it from the perspective is a User, think about it from the perspective of a Service Provider, and it makes a lot more sense. If you think this is Unjust, then the solution is simple. Provide your own services and control your own Destiny.

A 'miniature NSA group' is (presumably) focused on External Networks and External Data Sources. And I say presumably because it is not really clear what you mean by 'miniature NSA group', but the insinuation is clear. So this is very different from your average IT Security Group, and it is not correct to insinuate that they are one and the same.

[1] http://www.itproportal.com/2013/10/15/security-experts-no-su...

This post lacks citations, stories where this has been outed, and just seems like bullshit in general.

Well, I have some evidence in support of what he says (at least, that universities log connections). My university, of some 48,000 students (in 2010), logs 100% of all connections. I know, because I have seen the data. It's provided to researchers with the IPs replaced by some other persistent identifier (which they hopefully generated randomly). You can see IP addresses/domain names, and I think they might have also had URL data for http connections (although I'm not sure on that one).

They also emailed and temporarily disconnected all students who were running servers vulnerable to heartbleed, so presumably they do some form of more intensive inspection and logging as well.

Because most universities have pretty wide-open networks with high bandwidth, they do monitor for illegal, commercial, or malware activity on their networks. They don't want to get blacklisted as spammers among other things. They are also highly concerned about possible exposure of sensitive student personal and research data and some have started auto-encrypting emails that appear to contain such.

Why do they keep old logs if they're just monitoring for illegal/commercial/malware stuff?

And if they were very concerned with exposure of sensitive data, they wouldn't be logging it.

They keep the logs so they can use them in after-the-fact investigations, and for research.

>and for research.

That's not the same thing as "monitoring for illegal/commercial/malware activity".

In some cases, research does relate to identifying Security Threats. This mostly relates to layer 7, which is much more complex than ports and protocol based detection. The idea is; if you don't know what you're looking for (presumably a 0-day or unknown threat), then how would one find it? The answer is, research (aka analyze) the data. This ranges from Flow Data (which can date back months/years) to Packet Captures, to even Real Time Deep Packet Inspection (all relating to SIEM Solutions). In these scenarios, you would be looking for the needle in the haystack, but the needle is not clearly defined. You would have to work to identify and define it. So research does relate to identifying illegal/commercial/malware activity. Organizations that understand this are working towards implementing (or have already implemented) real time adaptive security models to mitigate these threats. This will allow them to not only identify and attempt to stop unknown Security Incidents, but also effectively investigate Incidents (forensics).

What he is saying is not bullshit, it's fairly accurate, but just way overblown with the "spying" drama. It should be common sense to keep your personal life at home and use work provided resources for work related stuff...

It's true. I develop such software commercially. Sure we have some govt. users, but the majority is the enterprise.

Full packet capture for how much disk space you want to allocate to it (many like 48 hours) then longer term storage of flow records, DNS and http metadata, etc.

The majority of the use cases are watching the internal uses of the network as well - not generally being used to detect intruders.

I did it back when I worked for a major private university (enrollment 25k+). It was simple, add a tap to the fiber coming into our network (we had redundant fiber connections to our particular little niche of a network, and conveniently, there were taps on the market that would aggregate the traffic from both fiber connections), pipe it to a monitoring server and run the logging + monitoring tool of your choice.

My boss barely understood what I was doing, his superiors certainly didn't know anything about it. We were not part of what would be considered the university IT department either -- we were just some random organization within the university. Who knows how many different people on hops above us were doing the same thing. And I was capturing the full traffic (not metadata) of people who would normally take even extra offense at this sort of thing going on. Not because the traffic contained SSNs or credit card details or something like that, but because the traffic was sensitive in a more private, personal way (I can't go into the particular details any more).

Unfortunately, this brief story doesn't have a juicy ending. I didn't do anything nefarious with the data. I didn't use it to spy on anyone. I simply used it to watch out for attacks against services on our network -- I thought I was doing something positive for the users of our services. But reading the parent post made me pause for a moment and consider that all these things I'm reading about and taking issue with in the news today (the NSA, eavesdropping, etc), that I did something similar, albeit on a much, much, smaller scale myself, many years ago when I was younger and more naive.

I was doing this sort of thing back in the 90's with a product called AbirNet SessionWall. Managers in the gov't department I worked for wanted to know how much time their employees where spending on the internet and what they were doing.

This is anecdotal of course but I can't imagine what were were doing back then was unique or isolated. It's trivial.

What's the simple comparison between Bro and Snort?

Snort is a rule based IDS/IPS and BroIDS is a policy based IDS. In their default configurations rule based IDS reacts (alerts, blocks) based on the rules loaded where policy based systems like BroIDS interpret the traffic they see and can react to kinds of traffic if configured.

In practice Snort (Suricata, etc) can read, understand and react to individual streams on the wire very quickly. This is especially important for intrusion prevention (IPS) inline.

BroIDS (prelude, etc) generate detailed logs and highlight interesting traffic (as configured) and are excellent for gathering intelligence. One of the recently popular features of BroIDS is to decode and save to disk all files in traffic it sees, checking the hashes of those files against blacklists as it goes.

If you are at all interested in these systems you should try out Security Onion at www.securityonion.net, an awesome pre-configured Linux with many network security monitoring (NSM) tools already installed including Snort, BroIDs and many many others.

(Disclaimer: Bro team member)

First, Bro is a Turing-complete scripting language ("the Python for the network") and Snort/Suricata a system centered around regular-expression matching [1]. These two paradigms have fundamentally different levels of expressiveness.

Second, Bro's core is policy-neutral. That means has no preconceived notion of good or bad, it simply provides information about activity. On top of that, it ships with numerous policy scripts to detect actual attacks. For example, there exists an SSH analyzer simply reporting the banner for each connection and byte-heuristic for detecting successful logins. On top, there exists another script that attempts to detect brute-forces by simply counting connection attempts per unit time. On the contrary, operators feed Snort/Suricata with rules which feed the system with malicious data. Your analysis is only as good as your rule set. As such, the systems spit out mostly attacks, which are useful iff calibrated to not emit a ton of false positivies.

[1] Snort features numerous enhancements for state tracking, but these are one-offs and hard-wired. For example, Snort supports "pre-processers" written C, which integrate at a much lower level of abstraction.

snort, last time I checked, operated on much simpler primitives like regular expressions and static strings.

Bro, on the other hand, is less of a product and more of a framework (think RoR) for studying protocol design and parsing. It's written in pure C++ so it's fast, and a lot of research papers have been written exploring things like programming paradigms for processing network data (functional vs. stream vs. imperative vs. OO), the best way to express exploits and vulnerabilities, efficient ways of tracking and storing protocol state, etc.

I think they're trying to commercialize it into something usable without tons of tuning. A good goal, as it's not that usable for out-of-box IDS/IPS ca. 5 yrs ago.

The submitted link doesn't tell me much about this.

this is sexist!!

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact