Bro – An Open-source Network Traffic Analyzer

1 Comment

Bro is a passive, open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. It supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with troubleshooting.

The most immediate benefit that a site gains from deploying Bro is an extensive set of log files that record a network’s activity in high-level terms. These logs include not only a comprehensive record of every connection seen on the wire, but also application-layer transcripts such as, e.g., all HTTP sessions with their requested URIs, key headers, MIME types, and server responses; DNS requests with replies; SSL certificates; key content of SMTP sessions; and much more. By default, Bro writes all this information into well-structured tab-separated log files suitable for post-processing with external software. Users can however also chose from a set of alternative output formats and backends to interface directly with, e.g., external databases.
In addition to the logs, Bro comes with built-in functionality for a range of analysis and detection tasks, including extracting files from HTTP sessions, detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, and much more.
However, the key to understanding Bro lies in realizing that even though the system comes with such powerful functionality out of the box, fundamentally it represents a platform for traffic analyses that’s fully customizable and extensible: Bro provides users with a domain-specific, Turing-complete scripting language for expressing arbitrary analysis tasks. Conceptually, you can think of Bro as a “domain-specific Python” (or Perl): just like Python, the system comes with a large set of pre-built functionality (the “standard library”), yet you are not limited to what the system ships with but can put Bro to use in novel ways by writing your own code. Indeed, all of Bro’s default analyses, including all the logging, is the result of such scripts; there’s no specific analysis hard-coded into the core of the system.
Bro runs on commodity hardware and hence provides a low-cost alternative to expensive proprietary solutions. Despite the price tag, however, Bro actually goes far beyond the capabilities of other network monitoring tools, which typically remain limited to a small set of hard-coded analysis tasks. We emphasize in particular that Bro is not a classic signature-based intrusion detection system (IDS). While it supports such standard functionality as well, Bro’s scripting language indeed facilitates a much broader spectrum of very different approaches to finding malicious activity, including semantic misuse detection, anomaly detection, and behavioral analysis.
A large variety of sites deploy Bro operationally for protecting their cyber infrastructure, including many universities, research labs, supercomputing centers, open-science communities, and major corporations. Bro specifically targets high-speed, high-volume network monitoring, and an increasing number of sites are now using the system to monitor their 10GE networks, with some already moving on to 100GE links. Bro accommodates such high-performance settings by supporting scalable load-balancing: large sites typically run “Bro Clusters” in which a high-speed front-end load-balancer distributes the traffic across an appropriate number of backend PCs, all running dedicated Bro instances on their individual traffic slices. A central manager system coordinates the process, synchronizing state across the backends and providing the operators with a central management interface for configuration and access to aggregated logs. Bro’s integrated management framework, BroControl, supports such cluster setups out-of-the-box.

Requirements:

  • Libpcap
  • OpenSSL libraries
  • BIND8 library
  • Libz
  • Bash (for BroControl)
  • Python 2.6 or greater

To build Bro from source, the following additional dependencies are required:

  • Make 2.8 or greater
  • Make
  • C/C++ compiler with C++11 support (GCC 4.8+ or Clang 3.3+)
  • SWIG
  • Bison (GNU Parser Generator)
  • Flex (Fast Lexical Analyzer)
  • Libpcap headers
  • OpenSSL headers
  • zlib headers
  • Python

Bro can make use of some optional libraries and tools if they are found at build time:

  • C++ Actor Framework (CAF) version 0.14
  • LibGeoIP (for geolocating IP addresses)
  • sendmail (enables Bro and BroControl to send mail)
  • curl (used by a Bro script that implements active HTTP)
  • gperftools (tcmalloc is used to improve memory and CPU usage)
  • jemalloc
  • PF_RING (Linux only, see Cluster Configuration)
  • ipsumdump

Features:

Bro supports a wide range of analyses through its scripting language. Yet even without further customization, it comes with a powerful set of features.
  • Deployment
    • Runs on commodity hardware on standard UNIX-style systems (including Linux, FreeBSD, and MacOS).
    • Fully passive traffic analysis off a network tap or monitoring port.
    • Standard libpcap interface for capturing packets.
    • Real-time and offline analysis.
    • Cluster-support for large-scale deployments.
    • Unified management framework for operating both standalone and cluster setups.
    • Open-source under a BSD license.
  • Analysis
    • Comprehensive logging of activity for offline analysis and forensics.
    • Port-independent analysis of application-layer protocols.
    • Support for many application-layer protocols (including DNS, FTP, HTTP, IRC, SMTP, SSH, SSL).
    • Analysis of file content exchanged over application-layer protocols, including MD5/SHA1 computation for fingerprinting.
    • Comprehensive IPv6 support.
    • Tunnel detection and analysis (including Ayiya, Teredo, GTPv1). Bro decapsulates the tunnels and then proceeds to analyze their content as if no tunnel was in place.
    • Extensive sanity checks during protocol analysis.
    • Support for IDS-style pattern matching.
  • Scripting Language
    • Turing-complete language for expression arbitrary analysis tasks.
    • Event-based programming model.
    • Domain-specific data types such as IP addresses (transparently handling both IPv4 and IPv6), port numbers, and timers.
    • Extensive support for tracking and managing network state over time.
  • Interfacing
    • Default output to well-structured ASCII logs.
    • Alternative backends for ElasticSearch and DataSeries. Further database interfaces in preparation.
    • Real-time integration of external input into analyses. Live database input in preparation.
    • External C library for exchanging Bro events with external programs. Comes with Perl, Python, and Ruby bindings.
    • Ability to trigger arbitrary external processes from within the scripting language.

Related Articles

One thought on “Bro – An Open-source Network Traffic Analyzer

Comments are closed.