Sunday, July 29, 2007

Bro: It's not just NIDS

Thanks to Bro team which has published the workshop materials online so that we can learn more about Bro internal. While I have been using Bro in Operational Network, I haven't actually learned about Bro Scripting Language. Therefore I think those materials will be ice-breaker for me because it really makes thing clear and I plan to finish all the exercises to further sharpen my skills in operating Bro.

There are few things I have noted in the materials provided, in the slide 6 of Bro Overview -

Much of the system is policy-neutral
- i.e. no presumption of "good" or "bad"

This is exactly similar to NSM concept where we don't assume any alert events provided by IDS as intrusion or extrusion without further confirmation and verification with the subsystem given.

From the slide 4 of Bro Conclusion and Outlook -

The Bro Cluster
- A set of PCs running Bro jointly analyze large network streams
- A central manager system

And 5th slide -

Multi-Core Support
- Going to turn Bro into multi-threaded application
- Will fully exploit the multi-core potential of modern CPUs

I would love to see all of them integrated to Bro in near future as it will benefit us with both low or high end hardwares.

Again from the slide 4 of Bro Conclusion and Outlook -

New Functionality
- Time Machine Interface
- Netflow Analyzer

I have written the setup of time machine here previously and time machine will soon be integrated with Bro to provide full content data via its indexing system. If you want to learn more about it, check out its main site -

With Netflow Analyzer added that is plus point as most of the companies having Cisco router deployed in their network, or you can use fprobe if running *nixes network appliance.

Think again about the approach, is Bro a Network Intrusion Detection System?

Again I have to emphasize, NSM analyzt is da future!

Peace ;]


seth said...

I'm glad people are finally starting to see what Bro can do! We've been using it at The Ohio State University for a while now and we're bringing up our cluster at the moment so that we can do heavier analysis to our traffic. If you need help with anything, or have any questions, feel free to post to the mailing list or ask me directly.

geek00L said...

Hi Seth,

Sure thing, I haven't got time to setup Bro cluster yet but I will try it when possible. Currently I'm learning Bro scripting language to make full use of it and find it really interesting.