1 What is Bro?

• Bro is an open-source network security platform that incoming packet streams into high-level events. Bro allows you to configure an array of real-time alerts, execute arbitrary programs on demand, and log data for later use.[1]

• Bro began within a research project at the Lawrence Berkeley National Laboratory in 1995 and moved onto an operational deployment there a year later. [1]

• Bro has been compared to tcpdump, wireshark, Snort, netflow, and Perl (or any other scripting language) all in one. [2]

1.1 Where does Bro get data?

• PCAP
• Tapped / SPAN'ed Network traffic

1.2 What data does Bro Produce?

• Events

   event http_header(c: connection, is_orig: bool, name: string, value: string)

• Logs

  1428008490.419994   CiMFm14le11UPtJhkl  10.1.1.34   57913   38.102.137.159  80  1   GET stationdata.wunderground.com    /cgi-bin/stationlookup?format=json&maxage=10&station=KNYNEWYO118&units=english&v=2.0&callback=jQuery17203764660065062344_1428008136674&_=1428008438624  http://www.wunderground.com/cgi-bin/findweather/hdfForecast?query=10010&MR=1    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36   0   310 200OK   -   -   -   (empty) -   -   -   -   -   Fx8RKotcNrCGtMpG3   text/plain

1.3 How is Bro Applied?

• Network Forensics
  • Real-time flow analysis
  • Pre-recorded flow and packet analysis
• Network File Carving
  • Extract files from network traffic streams
• Intrusion detection
  • IOC Matching
  • Policy enforcement
• Network measurement
  • Generate statistics about network traffic patterns and usage

2 Installing

2.1 Tapping your network

• Choosing where to acquire data is an important choice. Depending on where you acquire data, you will get a different perspective on your network's traffic
• A few things to keep in mind when deciding where to tap in your network:
  • How much traffic does the tap see?
  • Does the tap see both ingress and egress traffic?
  • Is there NAT in your network? Will your tap see traffic pre or post NAT?
  • What method are you using to acquire data? Taps? SPAN?

2.1.1 Taps

A network tap is a hardware device which provides a way to access the data flowing across a computer network [3]. Taps are the preferred method for acquiring network data, especially in cases when physical networks are the data source.

2.1.1.1 Pros

• Taps are passive, they do not alter the contents of the network traffic that you are delivering
• Taps do not drop packets. When acquiring data from a tap you can be confident of the integrity of the captured data.

2.1.1.2 Cons

• Physical taps do not work on virutal networks
• Taps are expensive
• Taps require infrastructure
  • Fiber
  • Network interfaces
  • Tap aggregators (optional)

2.1.2 Port Mirroring / SPAN Sessions

• The SPAN feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer from a network switch [4]

• The SPAN feature was introduced on switches because of a fundamental difference that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet. After a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port. [4]

• For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a sniffer to this hub. All other ports see the traffic between hosts A and B. [4]

2.1.2.1 Pros

• Low cost - Often it can be configured on hardware you already have in your network
• Easy to deploy - Takes no network downtime (TAPs require network links to flow through them)
• Can be used on virtual networks

2.1.2.2 Cons

• SPANs utilize precious switch resources, prone reducing performance on your switch and dropping to dropping traffic to your analyzer
  • switches forward "SPAN data with a lower priority than regular port-to-port data"[5]
• Limited numbers of SPAN sessions per switch [6]
• Prone to modification of network traffic including but not limited to:
  • Modification of packet timing [5]
  • Addition or removal of headers

2.1.3 Configuring SPAN Port on a Cisco 3750

conf t
monitor session 1 source [interface | vlan] [ interface | vlan #]
monitor session 1 destination [interface | vlan] 

3 How does Bro Work?

3.1 Bro Cluster vs Standalone

• Bro can be run as a "cluster" or as "stand alone" application
• Bro clusters are typically used to scale the performance of Bro for real-time traffic analysis

3.1.1 Bro Cluster

Bro is considered to be in "cluster" mode when Bro is configured to use multiple processes. * Bro clusters can only be used on real-time data acquired from a network interface * Bro clusters are most useful for flow level traffic analysis

3.1.2 Bro Stand alone

Bro is considered to be in "stand-alone" mode when it is configured to use only one process. * "Stand-alone" Bro can be used on real-time data acquired from a network interface or PCAP data * When used as a standalone tool Bro can be used for flow and packet level traffic analysis

3.2 Bro Cluster Architecture

Bro clusters consist of three components:

1. Worker - Workers ingests network traffic from the interfaces, parse network traffic, execute Bro script and create logs.
   • Clusters can have an arbitrary number of workers
   • There should be a single physical processor core for each worker in the cluster
2. Manager - The Manager is the component that aggregates data collected by the workers and compiles the data into a single log. The manager also handles deduplicating "notice" alerts.
   • Clusters have a sigle manager
   • There should be a single physical processor core for the cluster Manager
3. Proxy - Proxies manage the syncronization of data between Bro workers.
   • Clusters can have an arbitrary number of proxies
   • There should be 1 proxy for every 6 workers in your cluster
   • There should be a single physical processor core for each Proxy in the cluster

3.3 Configuring the Cluster Architecture

The configuration file that specifies the layout of your cluster is located in: * $BRO_HOME/etc/node.cfg

3.4 Bro Software Architecture

At a high level, Bro's core consists of four parts:

1. Packet ingest
2. Protocol parsers
3. Event Engine
4. Scripting Engine

3.5 The "Bro" Scripting Language

The "Bro" scripting language is a domain-specific languge designed specifically to be useful in the analysis of network data.

3.5.1 Events

Data gets delivered to Bro's scripting engine in "events". Events are like functions that are called each time Bro's parsers conclude a phase of parsing from a file or network protocol.

"Events" most often coincide with important protocol phases such as the arrival of a DNS query (dns_query) or the establishment of a TCP session (connection_established).

• For instance, if I was interested in saving all DNS queries seen by Bro in a data structure, I would add a script containg a "dns_query" event. Within the dns_query event, there would be code for extracting data from the event, and loading that data into a data structure.

• A list of all Events generated by protocol parsers is located at: http://www.bro.org/sphinx/scripts/base/event.bif.html

3.5.2 Data Types

Bro is a strongly typed programming language, all data in the Bro programming language must be dealt with explicitly according to its type. Being a domain specific programming language, Bro has a number of data types that are not common in general programming language. Below is a list of the most common data types in the Bro language.

• addr - An “addr” is a type representing IPv4 and IPv6 addresses.

  event connection_established(c: connection) {
  local a: addr;
  a = 10.1.1.1
  }

• string - A "string" is used to hold character‐strings.

  event connection_established(c: connection) {
  local s: string;
  s = "I'm a string";
  }

• table - A “table” is an associative array that maps one value (the index) to another value (the yield). ``` global TrackedSessions: table[addr] of string;

event connection_established(c: connection) { TrackedSessions[cidorig_h] = c$uid }

* **record** - A “record” is a collection of values (much like a struct in other well‐known languages such as C++), each value has a field and a data type. Records can hold fields of any data type, regardless of the data type of the other fields.

export { type conn_id: record { orig_h: addr &log orig_p: port &log resp_h: addr &log resp_p: port &log }; }

* **subnet** - A type representing a block of IP addresses in CIDR notation. A subnet constant is written as an addr followed by a slash (/) and then the network prefix size specified as a decimal number. For example, 192.168.0.0/16 or [fe80::]/64.

Subnets can be compared for equality (==, !=). An addr can be checked for inclusion in a subnet using the “in” or ”!in” operators.

## Attributes
Attributes occur at the end of type/event declarations and change their behavior. The syntax is &key or &key=val, e.g., type T: set[count] &read_expire=5min or event foo() &priority=-3. The Bro scripting language supports the following built-in attributes.

* **&redef** Allows for redefinition of initial object values. This is typically used with constants, for example, const clever = T &redef; would allow the constant to be redefined at some later point during script execution.

## Conditionals 
* **If** - If statements look like this:

if (condition) { print "code!"; }

## Loops 
* Bro supports "For" loops

local t: table[count] of string; for ( n in t ) ...

local services: table[addr, port] of string; for ( [a, p] in services ) ...

## The Anatomy of an Event
In this example we will be analyzing the **connection_established** event. The connection established event is, "Generated when [Bro sees] a SYN-ACK packet from the responder in a TCP handshake." [7]

event connection_established (c: connection) { ... }

There are four parts to an event call:

1. "event" - This tells Bro that event name will follow
2. "connection_established" - This tells Bro which event you would like to "hook"
3. "(c: connection)" - This illustrates that the event will be loaded with a variable named "c" and it will be of type "connection"
4. "{ ... }" - The code for your Bro script should go between the two curly braces. It is represented by elipsis in this example.


## The Connection Record
A "connection" is a very common data type in Bro. If you understand how it works, you will be well on your way to understanding most data loaded in Bro events. 

A "connection" is not a primitive data type in Bro. Instead, it is a construct created in Bro script to deliver data for TCP connections in Bro. A "connection" is created with the primitive datatype "record". 

Below is a sample of the information contained in a "connection" from Bro's documentation (https://www.bro.org/sphinx/scripts/base/init-bare.bro.html#type-connection). 

id: conn_id The connection’s identifying 4-tuple. orig: endpoint Statistics about originator side. resp: endpoint Statistics about responder side. start_time: time The timestamp of the connection’s first packet. duration: interval The duration of the conversation. Roughly speaking, this is the interval between first and last data packet (low-level TCP details may adjust it somewhat in ambiguous cases). service: set [string] The set of services the connection is using as determined by Bro’s dynamic protocol detection. Each entry is the label of an analyzer that confirmed that it could parse the connection payload. While typically, there will be at most one entry for each connection, in principle it is possible that more than one protocol analyzer is able to parse the same data. If so, all will be recorded. Also note that the recorded services are independent of any transport-level protocols. ```

3.6 Extracting information an Event

Now that we understand more about the connection_established event, lets write a simple Bro script that extracts the source and destination addresses from network traffic and print them out.

1. Lets start with the code listed above when introducing the connection_established event.

event connection_established (c: connection) { 


}

2. We now need to add code to extract information from "c" and print it out. Because "c" is of type "record" we can refer to the Bro documentation on how to interact with a "record":

Access to a record field uses the dollar sign ($) operator:

global r: MyRecordType;
r$c = 13;

3. According to Bro's documentation (see above) the "c" variable contains a field called "id" which contains, "The connection’s identifying 4-tuple.". Using what we know about accessing fields from a record, extract and print the "id" field using "print" function.

event connection_established (c: connection) { 
    print c$id;
}

3.7 Syntax Tips

• Each statement of code must be punctuated with a semicolon
• A variable declaration follows the format:
• [global | local] variable_name: variable_type

3.8 Workshop

• Connect to 'reservoirlabs' SSID, password: reservoirlabsftw

3.8.1 Exercise 1: Exploring Bro Logs in Splunk

• Navigate your browser to: splunk:8000, u: admin, p: reservoirlabsftw

1. Did an SSH Brute force attack occcur? What are the source and destination IP addresses? What tool was used to conduct the attack? What country did the attack originate in?
2. What type of files were downloaded by 10.10.100.139 yesterday?
3. What Browsers does 10.10.100.139 use?

3.8.2 Exercise 2: Modifying "hello" Script

• Navigate your browser to: http://try.bro.com
• Open another tab for Bro's documentation at:
  • https://www.bro.org/sphinx/script-reference/index.html
  • Use the "search" bar on the right hand side of the page to search the Bro documentation. (Note: Do not use the "Google" search bar)

1. Using what you learned in the lecture, change the "bro_init" event to the "connection_established" event
2. Now change the text of the print statement to say "connection_established" and print the time (Note: search for the "network_time() function in the Bro docs")
3. Change the print statement again so that you print the data delivered by the connection_established event. (Note: search for the "fmt()" function in the Bro docs)

4. Change the print statement again so that you only print connection records for responders in the subnet 192.168.1.0/24.

5. https://www.bro.org/why_choose_bro.pdf
6. http://en.wikipedia.org/wiki/Bro_%28software%29
7. http://en.wikipedia.org/wiki/Network_tap
8. http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html#anc0
9. http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/san-consolidation-solution/net_implementation_white_paper0900aecd802cbe92.html
10. https://supportforums.cisco.com/document/19196/limitations-span-and-rspan-cisco-catalyst-2950-3550-3560-and-3750-swtiches

11. https://www.bro.org/sphinx-git/scripts/base/bif/plugins/Bro_TCP.events.bif.bro.html