We recently presented at BSides Austin, which is the largest information security conference in Texas with over 450 attendees this year. As part of our new information security program, we are spinning up several open-source projects. Our presentation at BSides Austin focused on the processing of network security data from Bro IDS.
Bro is a popular open-source network intrusion detection system (IDS) that is supported by a large community of developers. Given the popularity of Bro and the ubiquity of Python, we are developing an efficient bridge from Bro to Python. The project is called BroThon. It is a simple-to-use module that streams Bro IDS log data into Python. The module leverages generators that provide a live stream of data that comes from the Bro network monitors. The generators are easy to use, and they can directly feed Pandas DataFrames with just a few lines of code:
In addition to its simplicity and ease of use, the BroThon module has the following benefits.
Running complex tasks (e.g., YARA signatures on files, state machines, machine learning, etc.) are offloaded from Bro IDS so that Bro can focus on the efficient processing of high-volume network traffic.
Data Analysis and Visualization
Pulling Bro data into Python allows us to leverage a large set of Python modules for data analysis, statistics, machine learning and visualization.
The BroThon module is freely available on GitHub. The GitHub repository has documentation and code examples for a broad set of use cases:
- ingestion of any Bro Log (handling dynamic tailing and log rotations);
- Bro Logs to Pandas DataFrames (and then dataframes to machine learning);
- dynamically monitoring files.log and making VirusTotal queries;
- dynamically monitoring http.log and showing uncommon user agents;
- running Yara signatures on extracted files; and
- checking X 509 certificates.
See BroThon Examples for more details.
As part of our efforts to provide data analysis and visualization to the security community, we have started putting together Jupyter notebooks that will take a deep dive into statistics, machine learning and visualization techniques. Our first notebook analyzes domain blacklists and uses maximum likelihood statistical significance tests to rank top-level domains: Risky Domains.
The BroThon project is the first step of our endeavor into the information security space. We also have projects on streaming anomaly detection and visualization techniques in the pipeline. If you have any questions or would like to collaborate, please do not hesitate to contact us.