The "Bro Exchange" offers the Bro community a chance to come together and share experiments, successes, and even failures with each other so that we can all work to understand and secure our networks better.
The Bro Exchange 2013 will take place on August 6-8, 2013, at the National Center for Supercomputing Applications in Urbana, Illinois. It will run 8am-5pm on the 6th and 7th and 8am-noon on the 8th.
The Bro Exchange is being subsidized by the National Science Foundation grant under which much of the recent work has been performed and the fee will be kept down to $50 as in all the past years. The registration fee will also cover breakfast, lunch, and snacks.
Bro Exchange 2013 Registration
8:00am Breakfast and Registration
9:00am Welcome and Introductions
9:15am Adam Slagell - NCSA, CISO (Video)
Opening remarks from our hosts.
NCSA has been around for almost 3 decades and has been a leader in security R&D and operations for over 10 years. Here we talk a bit about NCSA, the Cybersecurity Directorate, and our involvement with Bro.
9:45am Liam Randall - Broala (Video)
- Building Bro and using VMs.
10:15am Break
10:45am Seth Hall - ICIR/LBNL/Broala (Video)
- File analysis deep dive with Bro 2.2. Exercises for using it and for developing with it.
12:00pm Lunch
1:00pm Doug Burks and Scott Runnels - Mandiant & Security Onion (Video)
- In this talk, we’ll review the current Bro integration in Security Onion and then talk about our future plans to do even more cool stuff with Bro! The first being a Bro script written by Scott to act as a replacement for a "tcpflow -cr" session transcript with the added bonus of handling gzip-encoded content and also UDP traffic. The second idea is to leverage our existing Bro conn logs in a distributed ELSA database and extend the solution to replace the functionality currently provided by prads session data going into a single central database. We’ll show how these two ideas, made possible by Bro, will allow security analysts to more quickly respond and have greater confidence in their analysis.
1:45pm Aashish Sharma - LBNL (Video)
- Attack Strategies in Spear Phishing: Deceptions and Detections.
2:30pm Break
3:00pm Incident Response with Bro PANEL
- Incident responders that use Bro in their daily work will get on stage to talk about their experiences and respond to audience questions in a discussion moderated by Seth Hall.
3:45pm Vlad Grigorescu - Carnegie Mellon University (Video)
- Increasing Bro automation with the new Exec module.
4:15pm Alan Commike and Bob Rotsted - Reservoir Labs (Video)
- Implementing Memory Management for Bro.
6:00pm Dinner at NCSA sponsored by Arista Networks. (Video)
8:00am Breakfast
9:00am Johanna Amann - ICSI
- SSL Certificate Notary.
9:45am George Warnagiris - CERT/Software Engineering Institute (Video)
Bro/SiLK Integration
The purpose of this talk is to share the results of an investigation into using Bro as a flowmeter and to demonstrate the utility of using network flow records to index Bro data. In order to prove the concept, we configured Bro to feed flow records to the System for Internet Level Knowledge (SiLK), the OSS traffic analysis tools developed by CERT. We then looked at three aspects: how Bro can most efficiently export to SiLK, how can SiLK manipulate Bro data and how can SiLK hook back into Bro with analysis results. We found the potential for synergy between Bro/SiLK, but more work needs to be done in order to achieve results in large production environments.
10:15am Break
10:45am Vlad Grigorescu - Carnegie Mellon University (Video)
- How to write an analyzer.
11:30am Seth Hall - ICSI/LBNL/Broala (Video)
IPv6 and tunnels.
These features appeared in the 2.1 release of Bro but many people don’t know about or understand them. This talk should serve as a primer to understand this part of Bro’s data flow and understanding the various logs that are written out for IPv6 and tunneled traffic.
12:00pm Lunch
1:00pm Scott Campbell - NERSC (Video)
Using Bro for Host and Application Based Analysis
While Bro is well known as a network security tool, we have developed (and are developing) a number of tools to audit and apply local security policy to a number of applications and platforms.
1:45pm Liam Randall - Broala (Video) (Exercises)
- The Bro view of Indicators of Compromise and Tools, Tactics, and Procedures of real malware.
2:30pm Seth Hall - ICSI/LBNL/Broala (Video) ( Exercises)
Summary Statistics and Bro.
What does the new SumStats framework bring to Bro and how does it change the landscape for detections? More than you know. This talk will present the SumStats framework (formerly Metrics framework) and go through some brief exercises.
3:30pm Break
3:45pm Robin Sommer - ICSI/LBNL/Broala (Video)
- Research and Development Roadmap.
4:30pm Aashish Sharma - LBNL (Video)
- Time-Machine.
8:00am Breakfast
9:00am Karl Kamin - 21CT (Video)
Bro Data Analysis of Historical, Large Data Sets.
Utilizing Bro to consume real-time network data feeds is an established practice. This presentation will examine the challenges of employing Bro with data at rest (i.e., PCAP files).
In 21CT’s first opportunity using Bro in an enterprise environment, we ran across a political barrier wherein the customer was not allowed to receive a real-time feed of network traffic. This customer only has access PCAP files that are rolled every 10 seconds, with weekly data quantities of 22TB.
To preserve the integrity of observed connection state and timestamps generated by the observer, a means of combining PCAP files in a temporally cohesive manner was devised. To minimize synthesis of connection beginning and ending timestamps requires combining as many PCAP files as resources allow. The result is a system in which the output from Bro is then loaded into LYNXeon where the analyst can perform graph pattern analysis on the Bro provided meta data. Once analysts find a point of interest in the data, the analyst can then pivot and visualize full content user sessions derived from the PCAPs that our customer retains. The result is a system that has been working well now for 10 months now and is making an important contribution to national security.
9:45am Bro Core Team PANEL (Video)
- The Bro Core Team will all take the stage to for a panel discussion about the project, where it’s been and where it’s headed.
10:30am Break
11:00am Seth Hall - ICSI/LBNL/Broala (Video) (Exercises)
Intel framework overview
The updated intelligence framework has the ability to consume large sets of intelligence at runtime and watch for it in many locations. This talk will walk through the design and API of the intel framework and have a short tutorial for using parts of it.
12:00pm Lunch
1:00pm Blue Waters tours
The best choice for hotel is the Hampton Inn that is just across the street from the main NCSA building where the workshop is being held.
We have a room block reserved at the hotel for participants. The cost is $129 plus tax per night. Please call the hotel directly and mention Bro Workshop.
If the government rate is an option for you, we have heard that it is just $77 plus tax per night.
Hotel Information:
Hampton Inn 1200 W. University Ave. Urbana, IL 61801 Phone: 217-337-1100
For those flying in that have not been to the area, the local airport is Willard Airport (CMI). Urbana-Champaign is approximately a 2 and a half hour drive south of Chicago or a 2 hour drive west of Indianapolis, so be prepared to rent a car and make the drive if you fly to airports in either of those cities. Our suggestion, fly to CMI and take a taxi to the hotel.
© 2014 The Bro Project.