One of our partners recently asked me what I thought of Bro — was it something I would recommend setting up for one of his clients? If you’ve used Bro before, this is probably a no-brainer, but for many folks — even ones with deep infosec experience — Bro can be a little confusing. In this post, we’ll briefly cover what Bro is, why you would want to use it, as well as things to beware of before you go rolling it out with wild abandon.
Bro advertises itself as a Network Intrusion Detection System (NIDS), but if you’ve used other NIDS like Snort/Firepower, Suricata, or McAfee IPS you will find that it’s quite different. While it is true that you can configure Bro to trip on signatures like any of those solutions, this represents only a minority of its use in most deployments. One should be warned that there is even a module that allows Bro to use Snort signatures, but it is not a perfect translation and can quickly lead to excessive false positives. For any traditional signature-based intrusion detection, one should stick to dedicated Bro modules like Seth Hall’s APT1 signature matching module, Jon Schipp’s modules for suspicious activity (like syslog going out of your network), or Nick Hoffman’s collection for beacons and typosquatting. The list goes on, and one will find that while there are some modules that find signatures for some of the activity that other IDSs pick up, they are more different than alike. Put another way: Bro modules tend to look for things that your other IDS/IPS solutions do not. The difference is largely philosophical: Bro is seen as a tool that helps you find suspicious traffic on your network, rather than just something to block all the known bads.
In line with the philosophical idea that Bro is used to help you find suspicious traffic, its primary application in most environments is for data collection. Bro ships with a plethora of modules for decoding network traffic such that you can extract protocol-level information about dozens of common (and no-longer-so-common) protocols flying around your network. Sure, you could get information on DNS queries from your DNS servers (well, maybe), SMB connections from your file servers, web connections from your proxies — oh, and your internal and external web servers — or you can just have Bro collect it all for you in one place. This then becomes a wealth of data for security analysts, for both your L1/L2 staff doing basic investigations like, “Has anyone on our network accessed this IP address?” as well as more advanced hunting questions such as, “What unusual HTTP error codes have we seen from our webservers this month?” In short, it provides a single consolidated, normalized source of data for most of your network traffic, which organizations of any security maturity can take advantage of.
So why doesn’t everyone run Bro? Well, it’s not as simple to roll out as many security solutions (and if you’ve rolled out many security solutions, you know that is saying a lot). For starters you need a network tap infrastructure to feed it — this can be… challenging to set up in most organizations. You need to determine visibility: are you just going to be looking at your borders (which will likely not find any insider activity), or internal network segments as well? The amount of encryption (such as SSL) at those monitoring points will also impact visibility — although Bro is useful for decoding x.509 certificates and can help you find suspicious SSL traffic. Then you’ll need boxes to actually run Bro on, and Bro can eat a lot of CPU — exactly how much depends on the specifics of your environment. Similarly, the configuration will need to be tuned for your environment; there are a lot of trade-offs in configuration, for example SMB — the primary Windows communication protocol — is expensive to parse, which means you might not want to use it in a large Windows shop… yet that is where it is most useful. There are commercial solutions such as Corelight and Reservoir Labs that are worth considering depending on your budget and engineering/administration capabilities. Perhaps the biggest challenge with Bro is that it produces a massive amount of data that can be difficult to make sense of, and any security solution isn’t worth its salt if no one ever uses it, whether you have a full-time monitoring team, or one person who periodically reviews your security logs.
The team here at BuboWerks has been working with Bro for over a decade, although we must admit that it is only in the past five years that we’ve really come to appreciate its power and what it can add to an overall security program. We can help you with the challenges in rolling it out, from architecture and implementation to training for your engineering / admin and analysis staff. If staffing is your concern, we offer managed services through ourselves and our partners, depending on what best suits your needs.