The NetControl Framework

Johanna Amann, ICSI/Bro

The NetControl framework provides Bro with a flexible, unified interface for actively interfacing to network hard- and software like switches of firewalls. This talk will give an in-depth explanation of the inner workings of the NetControl framework. It will also demonstrate how you can use the framework in practice, and demonstrate how to extend it and how to add new backends to it to, e.g., talk to different kinds of switches that are not yet directly supported by the framework.

A Cluster of Clusters

Michal Purzynski, Mozilla

Challenges and solutions for running Bro in the most unusual way.

The new computing strategy in Mozilla requires a creative way to deploy the network security monitoring. In this presentation I’d like to show how our NSM evolved over three years, not just following, but anticipating changes. I will show what was the most difficult, in terms of running Bro on a very large scale and in a highly distributed environment. What broke and what we had to change, and why. How to deal with insane amount of logs and how it impacts your security operations and incident response. Most of this presentation will be about running Bro in AWS, including lessons learned, what worked and what did not.

The Config Framework

Seth Hall, Bro/ICSI

Seth will be catching everyone up on some work he has been doing with the core Bro scripts and frameworks. In particular the upcoming config framework which enables dynamic runtime configuration of Bro will be discussed.

Stopping Scanners Early and Quickly

Aashish Sharma, LBNL

This talk highlights a few strategies explored and used for identifying scanners hitting the LBNL Network. The idea is to use various strategies such as host=profiling, darknet monitoring, deep=blocks along with the traditional scan detection techniques used by Bro (such as Scan.bro and threshold random walk).

We further intend to showcase some scanning behaviors and attempt to provide some statistics on scan blocking by Bro. We further intend to highlight possible cases of false positives and why some could be hard to address.

Brotection

John Althouse, Salesforce

This talk is about building security signatures with Bro scripts and using it for detecting things that no other tool can do. The talk will consist of detecting anything related to Metasploit over SSL and detecting Reverse SSH Shells.

John Althouse works at Salesforce improving their detection arsenal.

Bro at Battelle

Stephen Hosom, Battelle

Discussion of Battelle’s Bro implementation and how it has been utilized in incident response, intrusion detection, and even network troubleshooting.

Failed Experiments

Josh Liburdi, CrowdStrike

This presentation takes a look at Bro scripts that didn’t turn out the way they were intended to. Script ideas, partial code, and key takeaways will be shared during the presentation.

Observations on the Modern NSM Toolchest from the Lastline Engineering Team

Christian Kreibich, Lastline

In this talk I will share experiences we’ve made in the Lastline engineering team regarding the use of open-source NSM software in a commercial setting. I will begin with observations about the implications of licensing and release/support models in use by several open-source projects, including Bro. In both areas we find a nontrivial tension between the goals of maximizing real-world adoption of an open-source product and trying to channel contributors’ contributions back to the maintainer. I will also present thoughts on the maturity of the NSM toolchest as a whole, looking beyond individual projects. We have found this space to be surprisingly wanting despite natural opportunities for modularization and re-use. I will offer suggestions for how we might improve this situation in the future.