15 Jan The BrOSI Model
Hello everybody! Broversity Lesson 5 (using the Notice Framework) is just around the corner, but in the meantime, as we all prepare for Shmoocon Labs – here’s a quick overview of all the parts that get put together to make up Bro.
At BSides DC, we were talking about Liam’s presentation on the “model” of Bro – and I coined the term – the BrOSI model – and here it is:
Here we have 3 steps of our model (from the bottom up)
- The Platform – these are the APIs, Analyzers (file, http, smtp, etc..) Daemons (bro managers/proxies/workers), Bro Control, bro-cut, BinPAC (for writing analyzers), capstats, and a few more. You can learn about these individual components here.
- The BPL – BPL, or BPL stands for the Bro Programming Language. Bro is network agnostic and designed to be policy driven. For example – your network may have a policy only allowing AES 256 encryption. You’d then use the BPNL to write a Bro policy script that writes a Notice whenever we see any other type of encryption on the wire.
- Bro Applications – A Bro App is a set of Bro policy scripts, possibly combined with protocol analyzers (e.g. SCADA -> Modbus, DNP3) to apply to a particular situation. In the SCADA example, we combine the Modbus and DNP3 protocol analyzers with policy scripts that detect interesting behavior from SCADA devices that use those protocols. For example, we may know that a device normally never uses FTP so we’d have a policy script that triggers if we see FTP. Or if we see specific SCADA commands. (e.g. shut down).
That’s our BrOSI post for today, if you are at Shmoocon in DC this weekend, make sure to say hello!