Healthy Paranoia Show 11: Bro – the Outer Limits of IDS

Join Mrs. Y, Taylor Banks and esteemed Nerd Captain Ivan Pepelnjak for another exciting episode of Healthy Paranoia!  In this installment, we discover the day the security industry stood still for Bro IDS with expert and project contributor Liam Randall.

Just a few of the fun facts you’ll learn include:

  • The real meaning of “bromance.”
  • What happens when someone says “no” to Ivan.
  • It’s impossible to record a Packetpushers or Healthy Paranoia episode without making unicorn jokes.
  • It’s also impossible to record a Packetpushers or Healthy Paranoia episode without bringing up SDN.
  • The accurate translation of “Klaatu barada nikto” is “Disable Java now.”

Show Notes:gort_hates_java

Bro Quickstart & packages

Intro to Google Capirca

AOL’s Trigger

OpenFlow and Bro IDS


Liam Randall’s Bro Presentations

The fun and amazing Security Onion



ELSA (Enterprise Log Search and Archive)

Dualcomm Technology (inexpensive network taps)

Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • Jerold Swan

    As a longtime fan of IOSHints and a relatively new fan of Bro, I really enjoyed this show. Like Mrs. Y, I heard about Bro probably 5 years ago but gave up on trying to compile and install it until it became available in Security Onion. Building on that, I tried installing it from scratch, and just as Liam says, it’s relatively pain-free now. I haven’t tried integrating it with ELSA from scratch yet, but that’s coming up on my to-do list.

    Building on Taylor’s comment about these tools in smaller organizations, I really think that Bro, ELSA, and Security Onion are a natural fit for the smaller enterprise. Smaller organizations often end up buying fantastically expensive commercial tools with a more limited feature range merely to check a compliance box, and they essentially become shelfware. With Bro, ELSA, and SO, you can start by using them tactically to solve specific problems and demonstrate strategic value, then once that’s done move them into full production.

    And BTW, the big-iron logging tool that Liam was blanking on is HP ArcSight Logger. I believe that there’s a switch in Bro 2.1 to enable binary log export directly in ArcSight format (so you don’t have to use syslog tricks). I don’t know if this format can be consumed by any OSS tools, though.

  • What Lies Beneath

    Just listened to this; security normally bores me rigid but this was very interesting and informative; it’s certainly provided lots of food for thought. Thanks

  • babbz

    Very informative. Very enjoyable.
    Going to start playing with Security Onion & Bro-IDS.

  • Terence Namusonge

    Really enjoyed this podcast and fooling around with bro as we speak – thank you