Bro v2.5.5 release: powerful network analysis framework
Bro Network Security Monitor
Bro is a powerful framework for network analysis and security monitoring. It is a powerful system that on top of the functionality it provides out of the box, also offers the flexibility to customize analysis pretty much arbitrarily
Feature
Adaptable
Bro’s domain-specific scripting language enables site-specific monitoring policies.
Efficient
Bro targets high-performance networks and is used operationally at a variety of large sites.
Flexible
Bro is not restricted to any particular detection approach and does not rely on traditional signatures.
Forensics
Bro comprehensively logs what it sees and provides a high-level archive of a network’s activity.
In-depth Analysis
Bro comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.
Highly Stateful
Bro keeps extensive application-layer state about the network it monitors.
Open Interfaces
Bro interfaces with other applications for real-time exchange of information.
Open Source
Bro comes with a BSD license, allowing for free use with virtually no restrictions.
Changelog v2.5.5
* Fix signed/unsigned comparison warning (Jon Siwek, Corelight)
* Add ‘smtp_excessive_pending_cmds’ weird (Jon Siwek, Corelight)
* Fix SMTP command string comparisons (Jon Siwek, Corelight)
* Improve handling of empty lines in several text protocol analyzers
(Jon Siwek, Corelight)* Add rate-limiting sampling mechanism for weird events
(Jon Siwek, Corelight)The generation of weird events, by default, are now rate-limited according to these tunable options:
– Weird::sampling_whitelist
– Weird::sampling_threshold
– Weird::sampling_rate
– Weird::sampling_durationThe new get_reporter_stats() BIF also allows one to query the total number of weirds generated (pre-sampling) which the new policy/misc/weird-stats.bro script uses periodically to populate a weird_stats.log.
There’s also new reporter BIFs to allow generating weirds from the script-layer such that they go through the same, internal rate-limiting/sampling mechanisms:
– Reporter::conn_weird
– Reporter::flow_weird
– Reporter::net_weirdSome of the code was adapted from previous work by Johanna Amann.
Copyright (c) 1995-2016, The Regents of the University of California through the Lawrence Berkeley National Laboratory and the International Computer Science Institute. All rights reserved.