Bro - PSJoshi/Notes GitHub Wiki

• Bro Analysis Tools (BAT): Processing and analysis of Bro network data with Pandas, scikit-learn, and Spark - https://github.com/Kitware/bat

• Basic Anomaly IDS capabilities with Python and Bro - https://github.com/hashtagcyber/bropy

• How to Hunt Command & Control Channels Using Bro IDS and RITA - https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/

• Building data pipeline for Bro logs - http://www.binorassocies.com/en/blogs/2017/09/logstash-bro-example.html

• Analyze threat intelligence with Bro - https://blog.apnic.net/2017/03/13/analyze-threat-intel-bro/

• Bro-RasberryPi integration - https://github.com/binorassocies/brostash

• Bro some useful scripts - https://github.com/anthonykasza/scratch_pad

• Bro write snort like signatures - https://www.bro.org/sphinx/frameworks/signatures.html

• Exfilteration Bro scripts from Evernote security - https://github.com/evernote/bro-scripts

• Bro useful script from reservoir labs - https://github.com/reservoirlabs/bro-scripts

• Producer-consumer ratio for data ex-filteration:

  • PCR script - https://github.com/reservoirlabs/bro-producer-consumer-ratio
  • PCR presentation - http://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_90063.pdf

• Bro to hunt persistent threats - https://www.bro.org/brocon2017/slides/persistent_threats.pdf

• Bro customization scripts - https://gist.github.com/mavam/5028034

• Bro file analysis - https://www.bro.org/current/slides/file_analysis-Bill_Stackpole.pdf

• Bro logs cheatsheet - http://gauss.ececs.uc.edu/Courses/c5155/pdf/bro_log_vars.pdf

• Modern cyber security stack using Bro - http://www.icir.org/robin/slides/ntnu17-bro-stack.pdf

• Network security monitoring using Bro platform - https://cacr.iu.edu/files/documents/pdf/broverview-nsf-cacr-2016.pdf

• Bro with OSquery integration - https://github.com/bro/bro-osquery

• Bro DNS injections, SQL injections - https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=teaching:netsec:2016:reports:t12:relation_netsec_lab.pdf

• Bro doctor - Useful for debugging of Bro cluster issues - https://github.com/ncsa/bro-doctor

• Bro modules for entropy and file extraction - https://github.com/BrashEndeavours/bro-scripts

Interesting papers

• Protocol detection capabilities in Bro - https://digirola.files.wordpress.com/2012/11/imt4022-digitalforensicsii_rogerlarsen_2012-06_final.pdf
• On using machine learning in network intrusion detection - https://digirola.files.wordpress.com/2012/11/imt4022-digitalforensicsii_rogerlarsen_2012-06_final.pdf

Encrypted traffic analysis using Bro/Zeek

• JA3 asking for a friend (2019) - https://www.youtube.com/watch?v=HrP6Ep3xgQM&t=684s
• Network forensics in an encrypted world (2017 but covers a lot of indicators you can hunt on) - https://www.youtube.com/watch?v=APHlvFaUEKE&t=1930s
• Encrypted things: Network detection and response in an encrypted world - https://www.youtube.com/watch?v=HPvIGP2mgbI&t=2667s
• Security Onion Conference 2019: Finding traffic anomalies using SSL certificates - https://www.youtube.com/watch?v=-WD9BWlENwc&t=762s