Lead Image © Yuri Arcurs, fotolia.com
Implementing custom security frameworks with Bro
Don't Hack Me Bro
Bro [1] is high-quality security monitoring tool designed to discover and analyze traffic trends on your network. Bro provides in-depth analysis of network traffic without limiting itself to traditional signature-based approaches. I first heard about the Bro network security monitoring framework when a consultant friend of mine talked about melding the world of big data and security together. My friend believed that traditional signature-based intrusion detection and monitoring simply wasn't enough to ensure a secure network.
The problem with networks is that, because of the increased number of devices, services, and tools used today, it's easy for attackers to enter networks in many different ways. Ransomware, botnets, malware, and remote control tools are readily available. Social engineering is especially prevalent now. Traditional intrusion detection and perimeter security tools just aren't up to the task.
Traditional monitoring tools are also having a hard time catching all of the anomalies. Bro, however, takes a different approach. The Bro framework is designed to monitor traffic on any layer. The default focus is on application layer traffic, but you can train Bro on any layer of the OSI stack. Bro is not really signature-based in its approach; it reviews traffic and looks for anomalous patterns. However, Bro also looks for similarities. It is ideal for setting baselines. Like many projects, Bro offers extensive commercial support.
Understanding Bro
The Bro application has three elements or layers:
- Monitoring engine: Software that listens to a network segment and reviews network traffic. This monitoring is similar to what Snort, Ntop, and other tools do. The engine also includes the event handler, which is designed to identify traffic and then act according to its configuration files.
- Policies:
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Improved visibility on the network
OpenNMS collects and visualizes flows so you can discover which network devices communicate with each other and the volume of data transferred. -
Security analysis with Security Onion
Security Onion offers a comprehensive security suite for intrusion detection that involves surprisingly little work. -
Bare metal deployment with OpenStack
Automating processes in the age of the cloud is not just a preference, but a necessity, especially as it applies to the installation and initial setup of compute nodes. OpenStack helps with built-in resources. -
Centralized monitoring and intrusion detection
Security Onion bundles numerous individual Linux tools that help you monitor networks or fend off attacks to create a standardized platform for securing IT environments. -
A central access manager for SSH, Kubernetes, and others
Teleport centrally manages logins against various protocols, including SSH, Kubernetes, and databases. Functions such as two-factor authentication are included in the scope of delivery, as is management of your own certificates.