In the past, this Blog has discussed how one might setup a rule based cyber security application like Snort or Suricata on 10Gb Ethernet using Myricom’s FastStack Sniffer10G packet capture solution. I learned recently of another approach for managing cyber security which utilizes a different and unique approach. This technique leverages detailed traffic logs, and an advanced scripting engine tuned for managing Internet domain sourced content. The application is called Bro, and it’s fast becoming the hot new tool for managing cyber security. A partner of ours, Reservoir Labs, recently released a 1U cyber security appliance that at its core uses Bro with FastStack Sniffer10G to provide a stand-alone or managed cluster solution.

While Snort and Suricata rely on rules to analyze traffic Bro uses a scripting language designed to manipulate Internet domain sourced packet flows. Here is how packets actually flow through this solution. Raw traffic is captured via a network tap which is wired into an Emulex card running FastStack Sniffer10G. Sniffer10G then utilizes flow hashing via a four tuple (source/destination address/port) to spread inbound traffic between ring buffers attached to each core on the server. Bro then connects to these Libpcap structured ring buffers and combs through that data utilizing a sophisticated schema designed to identify and log real time traffic into flows. With Bro running on each core it can then leverage the full system to search for threats. The scripting language is similar to Python, but it was designed to analyze traffic flows looking for dynamic cyber-attacks.

Furthermore, Bro can run standalone or via a unified cluster based management framework. While all this sounds new, it isn’t. Bro has a long history coming out of Lawrence Berkley National Labs where it’s been running in production since 1996. So if you’re building a state of the art cyber security infrastructure for your enterprise you should also seriously consider utilizing Bro or tap into the folks at Reservoir Labs.