This year we will hold our first Bro Exchange: A Bro users meeting aiming to get a large number Bro users together in the same room to exchange thoughts and talk about how everybody’s using Bro. In contrast to past workshops, the focus of this event is less on providing training and more on exchanging experiences and ideas.
The Bro Exchange 2012 will take place on August 7-8, 2012, at the National Center for Atmospheric Research in Boulder, Colorado. It will run 9am-5pm on the 7th and 9am-noon on the 8th. Many thanks to NCAR for providing the facilities!
Registration for the Bro Exchange 2012 is now open. The cost has been maintained at $50 like the workshops that have been held in previous years. The registration cost will cover breakfast and lunch for both days as well.
8:00am Breakfast & Registration
9:00am Welcome and Introductions
9:15am Doug Burks — Mandiant and Security Onion Developer
- Security Onion Video
- I’ll demonstrate using the Security Onion distro to deploy Bro to two sensors in under 30 minutes. Bro logs from both sensors will be searchable from the same central ELSA web interface. Using Security Onion, any Windows admin off the street can click Next, Next, Finish to deploy Bro to their network!
10:30am Scott Campbell - NERSC
- SSHD Video
- This presentation addresses applying local security policy to non-network data using Bro. The principle vehicle for this will be the instrumented SSHD used at NERSC that was recently reported in several online security publications.
11:15am Scott Runnels — Security Onion Developer
- Learning Bro Scripting Video
- A practical approach to learning Bro’s scripting language.
1:00pm Vlad Grigorescu — Carnegie Mellon University
- Brownian Video
- As Bro is being used to monitor increasing amounts of traffic, the venerable text logs have become too slow and inflexible for many analysts. Using ElasticSearch to index logs in near real-time enables fast in-depth analysis, allows for complex queries and provides a built-in API to fit any workflow. Finally, a custom-built web interface that is tightly integrated with Bro allows analysts to quickly and efficiently drill down to the interesting events.
1:45pm Derek Brost - eProtex
- High profile threats are bringing more security attention to ICS/SCADA and other similar embedded systems. For these class of systems traditional client-based security software does not or cannot apply for a myriad of practical reasons. This talk will cover the enterprise risk application of Bro and its applied utility outside traditional, commercial security approaches.
3:00pm Johanna Amann - ICSI
- Bro 2.1 will feature the Input Framework, which enables users to easily import external information in Bro. This talk will give a short overview of the framework and show how it can be used with a few example use-cases.
3:45pm Alan Commike — Reservoir Labs
- Mcore Video
- In this talk we will present Mcore, a set of extensions for Bro to support many-core platforms. Our implementation is based on the Tilera Gx processors although it should be applicable to other many-core platforms. The objective of this work is to provide a framework and implementation to efficiently map traffic onto Bro analyzers to sustain very-high speed rates (100Gbps and up to terabit rates) while minimizing the total energy requirements of the system.
4:15pm Aashish Sharma & Vincent Stoffer - LBNL
- In this talk we intend to focus on the operational use of Bro at the Berkeley Lab. The talk covers the architecture and the deployment strategies for Bro throughout the Lab infrastructure. We highlight the use of Bro for vulnerability mitigation, deployment of the input framework, use of dynamic firewall (catch-n-release & stomper) and experiences with “Deep Bro” for subnet level visibility. We will also discuss the use of Bro in the IPv6 world, syslog analysis, instrumented sshd (iSSH) deployment, the use of Time machine, and we will provide a glimpse into the ongoing efforts of monitoring 100G links with Bro.
5:00pm Bus leaves conference and drops folks off at hotels.
6:30pm Bus starts picking folks up from hotels for dinner.
9:00pm Bus brings folks back to hotels.
9:00am Seth Hall - ICSI
- 15 Minutes of Bro Video
- A brief 15 minute window where I try to predict Bro’s future.
9:15am Keith Lehigh — Indiana University
- OpenFlow Video
- This will be a short talk followed by an open discussion about running Bro in a high volume environment and the problems encountered and solutions to them.
11:15am Open Mic with Bro Devs
- Let us know what you want!
We have reserved blocks at three hotels in Boulder but none of these hotels are within walking distance of the facility where the Bro Exchange is being held so there are buses that will be coming around to take people up to NCAR for the Exchange. If you have local transportation there will be free parking available at the site and we will update this page when we have a map for the site.