This often overlooked open source tool uses deep packet inspection to transform network traffic into exceptionally useful, real-time data for security operations.

Greg Bell, Co-founder & Chief Strategy Officer, Corelight

June 14, 2018

3 Min Read

The 1990s was a terrific era for open source software. As the World Wide Web exploded in size, the scaffolding of the early Internet was taking shape … and it's hard to imagine that happening without the brilliant developers who gave us Linux, FreeBSD, Apache, Perl, MySQL — and countless other projects. The same decade also brought us grunge music, Game Boys, and Doc Martens! but those early open source tools had a larger impact: they changed the world in ways we're still grappling with.

Not surprisingly, several classic open source security projects date from exactly the same era: Snort, Wireshark, Nessus, Bro.

Here's a bet: if there's a name on that list you've only vaguely heard of, I bet it's "Bro."

I first encountered Bro in 2001, when I joined Lawrence Berkeley National Laboratory (LBNL) as a network engineer. One of my first jobs was to integrate Bro with our new border router. In that process, I learned that the tool had been created at LBNL five years earlier by Vern Paxson, then a graduate student, now an eminent computer scientist and security researcher at UC Berkeley. Vern's classic paper on Bro is here.

Vern named the project in homage to George Orwell's dystopian novel 1984, as a reminder that network monitoring can be a double-edged sword: increasing security, but also facilitating surveillance in the wrong hands. Since that time, "Bro" has developed other connotations, and last year the project's leadership kicked off a process for changing the name that hasn't yet concluded.

In a nutshell, Bro transforms network traffic — in all its volume, variety, and downright weirdness — into exceptionally useful real-time data for security operations. Through deep packet inspection, Bro can extract hundreds of security-relevant fields from dozens of protocols and present them in a way that makes sense to security operations center engineers.

By default, Bro doesn't have an opinion about the traffic it processes. This basic architectural principle sometimes confuses people. Bro doesn't decide whether your traffic is good or bad; it just doggedly parses dozens of protocols and records what it sees, generating rich, actionable data that makes the work of incident response and threat hunting up to 20 times faster. In fairness, that's a simplification, because Bro is also an application framework well-suited to the development of sophisticated behavioral detections ... but many fans of the open source project appreciate the value-neutral data above all else.

Bro initially thrived in the national laboratory system and in research universities because network visibility was so important to these institutions. They had the world's fastest networks, thousands of endpoints that were effectively unmanageable, and users who participated in an ever-shifting pattern of global research. Standard-issue firewalls weren't feasible or affordable in such environments. Instead, their security teams developed compensating techniques for monitoring networks, with Bro at the heart of it all.

In time, global enterprises began to adopt Bro as well. The addition of excellent SMB protocol parsing accelerated that trend, as did better documentation and a formal Bro Center funded by the US National Science Foundation. Right now, thousands of organizations worldwide rely on Bro, including some of the world's largest companies and mission-critical government agencies. As BSD-licensed technology, Bro is also incorporated into numerous commercial products.

Security professionals love Bro because it creates exceptional data that helps them get their jobs done faster. But beyond that, Bro data improves all of the tools it feeds (SIEM systems, analytics pipelines, automation platforms, etc.). As security threats become existential for so many organizations, better data is key to addressing risk, because it drives improvements throughout the security life cycle.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information.

About the Author(s)

Greg Bell

Co-founder & Chief Strategy Officer, Corelight

Before joining Corelight, Greg served in a series of leadership roles at Lawrence Berkeley National Laboratory: Director of the Scientific Networking Division, Director of the US Department of Energy's high-performance mission network ESnet, and Chief Technology Architect in the Office of the CIO. As ESnet Director, Greg oversaw deployment of the world's first 100G network at continental scale, the world's first 400G production link, and many other networking and systems innovations in support of data-intensive science. Greg also serves on the board of CENIC, the high-performance public network interconnecting 20 million Californians (including the vast majority of K-20 students) and vital public-serving institutions. Greg has a Ph.D. from UC Berkeley and an A.B. from Harvard.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights