CommunityBro is a an open source project based on Bro IDS. Our goal is to take the original goals of Bro and expand them to meet the needs of the varying organizations, both large and small, leveraging the elastic nature of Bro.
- We want to hear about deficiencies.
- We want to understand requirements and changes.
- We want to hear about the most wanted protocol analyzers that are not currently available.
- We humbly request your pull requests
Our goal and want is to accelerate the adoption of the technology and as we move along we want to reduce the burden of adoption and implementation.
CommunityBro v1.0 Features
For CommunityBro v1.0 there are several new features and capabilities that serve as a baseline of the commitment to continue to evolve the project moving forward. Those features include:
- New Analyzers
- Analyzers of “Last Resort” – TCP and UDP: When an upstream analyzer does not attach to a given flow, a configurable snapshot of packet data is still captured for upstream analysis and decomposition.
- Branch prediction optimizations in the packet processing loop
- jemalloc is now the default allocation library. After inordinate amounts of analysis and real world findings, particularly when considering high SMB traffic loads, jemalloc has been determined to be the most efficient.
- Additional SMB Analyzer Events (Wannacry)
- event smb1_trans2_session_setup_request(c: connection, hdr: SMB1::Header);
- event smb1_echo_response(c: connection, seq_num: count, mid: count, data: string);
- Lua as a second scripting language
What about the license?
Our goal is to be the most available implementation of a community project as possible and in so doing after much research and discussion, the Apache License 2.0 was selected for it’s compatibility with the existing BSD 3-clause License.
Why the change?
The core, existing Bro code remains BSD 3-clause and will always remain BSD 3-clause as long as it is within CommunityBro. However, all new development and modification of core functionality will be covered under Apache License 2.0 for the broader reasons of protecting the authors even further. We hope this change will encourage organizations that shy away from other license models to be more open to contributing to CommunityBro.
Lua is simply the most performant, compact and robust embedded programming language available today. Coupled with the Lua just-in-time compiler (LuaJIT) and the availability of existing Lua libraries and code snippets, the goal is to bring fresh capabilities to Bro and reduced the learning curve of a domain specific language that is inherent with Bro Script.
Additionally, Lua with Bro allows a practitioner the option of fielding a new detection script without the explicit need to restart Bro for the script to be available and processing data.
What is an example of a Lua Script in Bro?
function bro_init () print "Hello, world! This is printed immediately after loading, even if Bro was already running." end count = 0 function connection_state_remove(connection) count = count + 1 end function bro_done () print("Bro saw ", count, " connections!") end