Note: Our current website is at www.zeek.org. This website is unmaintained and contains outdated information.

Bro workshop @ EDUCAUSE 2016

Welcome to our Bro workshop at EDUCAUSE 2016. This page contains all links and material we use or present during the day.

This workshop is presented by Seth Hall, Vlad Grigorescu, Justin Aszoff, and Doris Schioberg. We all are members of the Bro team.

Agenda

To meet as many attendees’ needs as possible we keep our agenda for today flexible. Below you find the day’s structure in terms of session and topics.

08:30	Welcome and Introduction to Bro
10:00	Coffee break
10:30	Session 2: Navigating in and with Bro
12:00	Lunch
13:00	Bro in the real world: Bro usage, configuration, tuning and problem solving. Bro Script Tutorial
14:30	Coffee break
15:00	Outlook on special topics, Q&A, the Bro Center of Expertise

Resources and Links

You will find here slides, pointers to more documentation and other resources related to each topic we cover today.

What is Bro? — An Overview

The full Broverview slideset.
The more detailed Bro introduction in the documentation.

Getting Started

Start by downloading Bro.
Installing Bro.
Howto specifically for CentOS 6 with helpful hints and tricks for every OS. Showing also a GeoIP setup.
Exercise and walk through on installing Bro and running it for the first time.

Inside Your Bro Installation

During this training we are going to show you around in your Bro installation. Most of this can be found in the documentation in our Quickstart Guide. Also, go ahead and explore the install directory, typically /usr/local/bro. Assuming this is your install directory you can go from there to /usr/local/bro/share/bro/policy to find more useful Bro scripts that are not loaded by default. The script included by default are found in /usr/local/bro/share/bro/base. Scripts not in base can be loaded via local.bro which is located in /usr/local/bro/share/bro/site. The logs produced by Bro have a default location /usr/local/bro/logs.

Documentation for all Bro frameworks is here.

Bro Configuration and Tuning

This is a very broad topic but there are some helpful entry points on the Bro website.

BroControl is one of the basic tools.
Specific references a certain Bro element such as a BIF or event is found in the script reference.
Whenever there is a little more to do for your Bro setup you will need to get into a cluster config.

The slides for this topic are here.

Embedding Bro in your Network

The slides for this topic are here.

We will also spend some time on problem solving.

Bro setups for networks with 100G are very difficult. This case study written by Vincent Stoffer, Aashish Sharma, and Jay Krous is a unique source of experience and practical Bro deployment and usage.

The Net Control Framework allows you to let Bro modify the behavior of your network. The documentation is here. Netcontrol is still work in progress, especially the documentation is not complete yet. The most recent development is in github.

Bro Logs

The slides presented with this topic are here.
The Logging framework is documented here.
A more user centric how-to is here.
A frequently asked question is which logs are or can be created by Bro. See this list that also includes the field descriptions for each log file.

Bro Scripts

If you learn best by doing start your Bro script journey with our online tutorial.
Accompanying the tutorial or as a stand alone how-to read this detailed document.
The script reference is here.

The Bro Center of Expertise

The Bro Center of Expertise is a central point of contact for institutions funded by the National Science Foundation (NSF) that bundles the Bro Team’s expertise and offers it to NSF-supported sites seeking advice.

We are constantly working on imrpovements. If you want to help us AND are a NSF site please fill out this survey. All information given is treated as confidential. The purpose of it is to get an overview of what NSF site look like. In the long riun we hope to develop tools and processes that makes it easier to get ro into your Science DMZ.