What is Bro?
Comprehensive platform for network traffic analysis focus on semantic security monitoring at scale.
Provides users with a flexible framework that facilitates customized in-depth monitoring
Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.
The most immediate benefit that a site gains from deploying Bro is an extensive set of log files that record a network’s activity in high-level terms. These logs include not only a comprehensive record of every connection seen on the wire, but also application-layer transcripts such as, e.g., all HTTP sessions with their requested URIs, key headers, MIME types, and server responses; DNS requests with replies; SSL certificates; key content of SMTP sessions; and much more.
Bro accommodates such high-performance settings by supporting scalable load-balancing: large sites typically run “Bro Clusters” in which a high-speed frontend load-balancer distributes the traffic across an appropriate number of backend PCs, all running dedicated Bro instances on their individual traffic slices.
Bro Features
Deployment
- Fully passive traffic analysis off a network tap or monitoring port.
- Standard libpcap interface for capturing packets.
- Real-time and offline analysis.
- Cluster-support for large-scale deployments.
- Unified management framework for operating both standalone and cluster setups.
Analysis
- Comprehensive logging of activity for offline analysis and forensics.
- Port-independent analysis of application-layer protocols.
- Support for many application-layer protocols (including DNS, FTP, HTTP, IRC, SMTP, SSH, SSL)
- Analysis of file content exchanged over application-layer protocols, including MD5/SHA1 computation for fingerprinting.
- Tunnel detection and analysis (including Ayiya, Teredo, GTPv1). Bro decapsulates the tunnels and then proceeds to analyze their content as if no tunnel was in place.
- Extensive sanity checks during protocol analysis.
Scripting Language
- Event-based programming model.
- Domain-specific data types such as IP addresses (transparently handling both IPv4 and IPv6), port numbers, and timers.
- Extensive support for tracking and managing network state over time.
Bro Architecture
Bro is layered into two major components
Event Engine
Event engine (core) reduces incoming packet stream into a series of higher level events.
Events reflect network activity, describe what has been seen, but not why or whether it is significant.
Example: Every HTTP request on the wire turns into a http_request event, that carries the following information:
- involved IP addresses and ports
- URI being requested
- HTTP version in user
Script Interpreter
Executes a set of event handlers written in Bros custom scripting language.
- Can express a sites security policy
- What actions to take when the monitor detects different types of activity
- Can derive any desired properties and statistics from the input traffic
- All scripts to maintain state over time enabling them to track and correlate the evolution of what they observe across connection and host boundaries.
- Can generate real-time alerts and also execute arbitrary external programs on demand to trigger an active response to an attack.
User security onion VM
BRO is a Network Security Monitoring application or framework
BRO is stream based
BRO uses the connection as a datatype
$ to de-reference if we wanted the orig we could walk the output above and build our expression c$id$orig
fmt operates like printf
When using new_connection(), your script will generate events somewhat linearly with what is in the tracefile. If you use connection_state_remove() you’ll see events generated after then connection has ended.
connection_state_remove() we can see that pertinent fields such as history, duration, and conn_state have been filled out for us
conn_state, “SF” indicates and normal connection establishment and termination
While the new_packet() event has primarily niche uses due to the extra load it introduces, it’s handy to parse trace files and to explore more about how Bro works and everything that Bro does behind the scenes
If you’re unfamiliar with the += operator, it’s an operator that allows us to add onto an already defined variable
NOTICE() takes one argument, the Notice::Info record, but it’s a whopper. You can pass a rather massive amount of information into NOTICE() via the Notice::Info record but the only required argument to pass in is the Notice::Type. If we just wanted to generate a notice, albeit a somewhat unhelpful one, we could pass it just the Notice::Type we added.
Please checkout the below links
Resume website — https://tommarler.org
Linkedin — https://www.linkedin.com/in/tom-m-bb4857112/
