[Discussion] I think everyone is describing Bro

Sun Oct 19 17:51:20 UTC 2008

Wow, I haven't looked at Bro in over a year, and the new additions to 1.4
are stunning.  Nice work!  I agree that Bro certainly has all of the
back-end features that we have been discussing, down the HTTP sniffer I was
alluding to earlier, the realtime loading of IP lists, and the scripts
versus signatures design.  Most importantly, it has a scalable, extremely
modular design.  I think what Bro has been missing is a community just like
this to act as a catalyst for breaking out it of its niche in academia and
becoming something that average organizations can use.

I think that it's telling that Bro only recently got the ability to write
anything to a database bundled with it natively, as that's a basic
requirement for many people.  As I look through the policy scripts, it's
like I'm walking through a strange wonderland where anything is possible and
great things are happening, but I have no idea what's going on.  There is a
rather steep learning curve for the Bro scripting language, and though well
documented, I think that's rather off-putting for a lot of people.  I
actually had an easier time understanding what was going on with the
pehunter source code written in C than I did trying to read the Bro
scripting language straight-up.  I'm not saying that it's not worth
learning, I'm just saying that there's a pretty significant initial
investment needed to get going with it.  I think what this group could do
would be to provide standards, tools, etc. for keeping track of all of these
policies, writing new ones, and providing a comprehensive framework for
managing it all, and a frontend for acting on the intelligence it provides.
I see Bro as something of an uncut diamond.

If this group adopted Bro as a platform of choice, I think we'd have a real
shot at decreeing that "this group shall re-invent no wheels" and still
achieve all of the goals we set out to do.  The idea being that we're not
here to resolve problems, but rather to apply and focus work already done
into something that produces community-aware, actionable intelligence
instead of log files.  I will start a new thread with the beginnings of a
proposal to the group to explore that idea further.

On Sun, Oct 19, 2008 at 10:27 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> I definitely agree. There are a great number of features in bro that we
> can learn from or steal. :)
>
> Matt
>
> Thorsten Holz wrote:
> > On 19.10.2008, at 06:25, Seth Hall wrote:
> >
> >> Sorry, I just joined the list so I'm going to be doing some odd
> >> quoting from the list archive :)  I do want to point out too, that I'm
> >> not writing this email to downplay OISFs goals but rather to hopefully
> >> guide OISF toward improving an existing opensource project (Bro -
> >> http://www.bro-ids.org/
> >>   ) that already does much of what is being discussed on this list.
> >
> > I agree with Seth: why implement something completely new when you
> > can extend an existing project that already contains many features
> > that should be included in the resulting tool? Bro has some cool
> > features and could be considered as a starting point.
> >
> > Cheers,
> >    Thorsten
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081019/47402660/attachment-0002.html>