Hands On Bro Scripting [Applied Network Defense]

Bro (recently renamed to Zeek) is the world’s most flexible network security platform, and thousands of organizations use it to reduce network packet streams down to noteworthy events. While Bro’s out-of-the-box capabilities are robust, they merely scratch the surface. Bro isn’t just a tool; it’s a programming language. That means Bro…

• …is an IDS that can be used to go beyond signature-based matching and detect things that might be missed.
• …will match complex sequences of events that are benign by themselves, but malicious when occurring together.
• …can generate statistics for anomaly detection and network-based hunting.
• …produces evidence useful for enriching and investigating alerts from other tools.

Hands-On Bro Scripting is a foundational course that will help you unlock the flexibility of Bro to make sure you have the right data at the right time. When you take this course, you’ll learn:

• The fundamentals of Bro scripting with hands-on, real-world scripts being developed along the way.
• Effective approaches for maximizing your sensor resources.
• How to effectively filter log data to minimize network bandwidth use
• Techniques for debugging and analyzing new and existing scripts
• Best practices for building your own custom bro events.
• How to leverage Bro’s frameworks: intel, file analysis, input, summary statistics, notice, and conn threshold.

You’ll also develop useful foundational scripts you can use
to guide your detection and analysis. This includes scripts for detecting large HTTP flows, extracting files based on MIME type, determining the ratios of HTTP methods, firing events based on connection thresholds, and protocol filtering scripts.