Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Last weekend I attended a presentation by Liam Randall (@hectaman) on the Bro networking language. It helped break though many of the assumptions I had about it and encouraged me to take a second look at using it the lab. His talk is available on you-tube and slides are available here: http://www.appliednsm.com/shmoocon-2013-bro-slides-and-video/

I have snort, why do I need another IDS?

That pretty much summed up my thoughts about BRO. Liam described most peoples NSM stack as: tcpdump for capture, wireshark for analysis, argus for flow data, snort for alert data, and python to script interactions. When he siad that BRO could replace each of these tools I was a mix of incredulous and intrigued. The key point that helped me understand was the explanation that Bro is a domain-specific language for networking applications and that Bro-IDS (http://bro-ids.org/) is an application written with Bro.

So, what else does it do?

Basically Bro generates Events from traffic, and these Events drive Actions or generate Structure Output. If youve ever had a need to script something quickly to process the output of tcpdump, youll see the appeal of Bro that dumps traffic out in an orderly fashion thats very UNIX command-line friendly.

Using something like Liams fire-scripts (https://github.com/LiamRandall/bro-scripts/tree/master/fire-scripts) you can explore how protocols are being implemented on your network. While wireshark does an outstanding job of coloring protocols and identifying flows, Bro scripts do a better job of identifying the order of events and counts of events in a session (helpful for looking bots that are pretending to be Internet Explorer or SSL/TLS shenanigans.)

Bro can be scripted to extract every executable that flies by on the wire. While this can be done with a few key-clicks in wireshark or batched by using tcpflow, Bro allows you to make it part of the analysis process which you can then kick off other static analysis or additional alerts.

How do I get started?

The shortest path to playing with Bro is via Security-Onion: http://code.google.com/p/security-onion/ Its an .iso that you can either boot-up with or build a VM from.

What are you using Bro for?

While Googling around to verify the links for this entry, I see a lot of interesting SSL/TLS projects and APT1-related modules and scripts. For those of you who are using Bro in your processes, leave a comment below.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett Packard on Sunday unveiled the HP Slate7, a 7-in. tablet that will go on sale in April in the U.S. starting at the bargain price of $169.
 
Hewlett-Packard has reentered the consumer tablet market with the Slate 7, an Android-based device with a 7-inch screen that will start at US$169.
 
Mozilla previewed the first commercial build of its Firefox OS and announced several operator and smartphone rollout plans on Sunday at Mobile World Congress.
 
Samsung Electronics has introduced the Android-based HomeSync media center, which can be used to watch movies, play games and also provide private and shared storage.
 
Huawei Technologies has expanded its device portfolio with the LTE-equipped Ascend P2 as the company hopes to climb upwards in the smartphone market.
 
Lenovo has announced new 7-inch and 10-inch tablets with quad-core processors and Google's latest Android 4.2 operating system, becoming one of the few companies to offer that version of the OS in tablets.
 
Internet Storm Center Infocon Status