Tools

Bro v2.5.5 release: powerful network analysis framework

Bro Network Security Monitor

Bro is a powerful framework for network analysis and security monitoring. It is a powerful system that on top of the functionality it provides out of the box, also offers the flexibility to customize analysis pretty much arbitrarily

Bro Network Security Monitor

Feature

  • Adaptable

    Bro’s domain-specific scripting language enables site-specific monitoring policies.

  • Efficient

    Bro targets high-performance networks and is used operationally at a variety of large sites.

  • Flexible

    Bro is not restricted to any particular detection approach and does not rely on traditional signatures.

  • Forensics

    Bro comprehensively logs what it sees and provides a high-level archive of a network’s activity.

  • In-depth Analysis

    Bro comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

  • Highly Stateful

    Bro keeps extensive application-layer state about the network it monitors.

  • Open Interfaces

    Bro interfaces with other applications for real-time exchange of information.

  • Open Source

    Bro comes with a BSD license, allowing for free use with virtually no restrictions.

Changelog v2.5.5

* Fix signed/unsigned comparison warning (Jon Siwek, Corelight)

* Add ‘smtp_excessive_pending_cmds’ weird (Jon Siwek, Corelight)

* Fix SMTP command string comparisons (Jon Siwek, Corelight)

* Improve handling of empty lines in several text protocol analyzers
(Jon Siwek, Corelight)

* Add rate-limiting sampling mechanism for weird events
(Jon Siwek, Corelight)

The generation of weird events, by default, are now rate-limited according to these tunable options:

– Weird::sampling_whitelist
– Weird::sampling_threshold
– Weird::sampling_rate
– Weird::sampling_duration

The new get_reporter_stats() BIF also allows one to query the total number of weirds generated (pre-sampling) which the new policy/misc/weird-stats.bro script uses periodically to populate a weird_stats.log.

There’s also new reporter BIFs to allow generating weirds from the script-layer such that they go through the same, internal rate-limiting/sampling mechanisms:

– Reporter::conn_weird
– Reporter::flow_weird
– Reporter::net_weird

Some of the code was adapted from previous work by Johanna Amann.

Download

Install

Tutorial

Copyright (c) 1995-2016, The Regents of the University of California through the Lawrence Berkeley National Laboratory and the International Computer Science Institute. All rights reserved.

 

Read more…

 

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

Leave a Reply