22 May What is Bro? And Why IDS Doesn’t Effectively Describe It [Overview and Resources]
What is Bro? Bro is an open source software framework for analyzing network traffic that is most commonly used to detect behavioral anomalies on a network for cybersecurity purposes.
Bro provides capabilities that are similar to network intrusion detection systems (IDS), however, thinking about Bro exclusively as an IDS doesn’t effectively describe the breadth of its capabilities. This is because Bro enables security operations centers (SOC) to do much more – including performing incident response, forensics, file extraction, and hashing among other capabilities.
Experienced technical users define Bro as a network traffic analysis and classifications engine. From that perspective, Bro performs two key tasks that benefit security organizations:
1) Converts data about network traffic into higher level events; and
2) Provides a script interpreter – a robust programming language – which is used to interact with events and understand what those events mean in terms of network security.
In other words, Bro captures metadata about activity on a network and then provides a programming language to understand when that activity presents malicious or suspicious indications.
Bro Compared to Conventional IDS
As Bro monitors a traffic stream it produces logs that record everything it understands about the network activity. This understanding includes connection records, the volume of packets sent and received, attributes about TCP sessions, and other metadata that is useful for analyzing network behavior and understanding the context of that behavior.
What is deemed suspicious network behavior in one organization, maybe be routine in another. This is why the Bro programming language is so advantageous; it can be used to customize the interpretation of metadata to the specific needs of an organization.
A good way to understand why this is so unique is to compare it to a conventional rules-based IDS such as Suricata or Snort. A classic use case for those tools is to monitor traffic on a targeted port for a specific attribute – a certain protocol or byte pattern that exists in the packet payloads. When those conditions match the rule, the IDS triggers an alert.
Bro provides a way to perform the same types of checks for traffic attributes, but with the added value of a programmatic interface. This means Bro can be used to calculate numerical statistics and regular expression pattern matching. It can also build out complex logical conditions using AND, OR and NOT operators, which allow the users to customize the analysis to their environment.
Also see these related posts:
Snort, Suricata and Bro: 3 Open Source Technologies for Securing Modern Networks
Layers of Cybersecurity: Signature Detection vs. Network Behavioral Analysis
What is File Carving and How Does it Enhance Network Security?
The Bro Forensic Capabilities
While Bro provides network traffic visibility and capability to perform threat detection, it also provides the means to conduct incident response and forensics all in one place. If for example, federal law enforcement notifies an enterprise of evidence a system is beaconing out to a malicious domain they are monitoring, Bro can determine which machine is responsible.
Since Bro maintains a record of network transactions, a user can go back retroactively and look at how a series of events played out leading up to that notification. This forensic examination helps determine the behavior a machine was exhibiting before beaconing and understanding if other machines were touched or infected in the process.
There’s really nothing quite like Bro available today. It’s providing both real-time traffic inspection for a wide range of protocols and also functions like a network recorder and collection tool, with the capacity to perform offline analysis.
Use Cases for Bro in Practice
A common use case for Bro is the identification of network behavioral deviations. A few examples include an internal host that suddenly begins communicating with a machine for the first time ever, communicating with more hosts than normal, or using a protocol that is different or unusual.
While this broad use case is fairly common, one of the big advantages of Bro is its ability to be customized to unique environments. To help illustrate this, we’ve pulled together specific examples from three different vertical markets:
1) Bro use case for retail.
The point-of-sale (POS) system is high-risk for retailers striving to protect credit card data to avoid both financial damages and adverse regulatory effects. Bro can be configured to monitor those systems used for credit card transactions and understand what protocols are used and what systems should be communicating with each other under routine circumstances. In other words, it characterizes what the typical pattern of traffic to and from POS terminals looks like – which allows it to identify when those patterns are deviating. This can be used to flag potential problems sooner, and in the event of a compromise, understand the effects on data and scope of impact.
2) Bro use case for energy.
Institutions that create or transmit energy typically use a closed IP-based control system called supervisory control and data acquisition (SCADA). Because these systems are closed, the network communications and behavior fall into a consistent pattern. In the energy vertical, Bro is frequently deployed to establish a baseline of what a normal pattern looks like – what number of connections or hosts an endpoint communicates with, the protocols it uses, and the amount of data it typically sends or receives. If these systems begin communicating with nodes they never have before, Bro provides the means to write scripts to identify this anomaly. While this is a similar adaptation as the POS use case, the implications are different because they are physical and can include damage to supply and control systems, reductions in output, and potentially power outages with the many possible side effects that come with an outage.
3) Bro use case for healthcare.
A principle concern for network security in healthcare is data leakage – and specifically personal health information (PHI) being leaked from the network. Bro will capture the metadata about the network communications, and the programming language can be used to write scripts to interpret when metadata contains information suggesting PHI is potentially leaving the network.
Additional Resources for Understanding Bro
Bro is extremely powerful because it captures network metadata and provides a programming language that can be used to interpret behavioral networks signs of interest. This allows organizations to examine threats from different perspectives and it’s why Bricata has included Bro on its sensors as one of three important detection engines.
For those interested in learning more about Bro, we recommend the following resources:
- Bro.org: The Bro Network Security Monitor
- Admin Network & Security: Network analysis with the Bro Network Security Monitor
- Bricata: Bro IDS: 7 Takeaways from BroCon 2017
- International Journal of Advanced Research in Computer and Communication Engineering: A brief study and comparison of Snort and Bro Open Source Network Intrusion Detection Systems
If you enjoyed this post, you might also like:
Threat Evolution and the Economics of Cybersecurity [Q&A with John Pirc, Author and Security Expert]