People that encountered network security probably know the name "Bro" much better. Apparently they rebranded in 2018.
Wikipedia has the following to say about it:
> Dr. Paxson originally named the software "Bro" as a warning regarding George Orwell's Big Brother from the novel Nineteen Eighty-Four. In 2018 the project leadership team decided to rename the software. At LBNL in the 1990s, the developers ran their sensors as a pseudo-user named “zeek”, thereby inspiring the name change in 2018.
because it's probably the world's most popular security monitoring platform? it's been around for a long time, it does it's job very well, and it's available in whatever flavor of implementation difficulty you want. from completely free roll yourself, to easy to deploy via push button with thousands of detections already to go for you.
even most of the enterprise solutions sold for network monitoring proudly boast that they use bro under the hood for their stream parsing engine.
I agree, and I'd like to understand the reason why "probably" disappeared from the press release. If you claim something, you should be able to back it up with some numbers, right? I'm a big fan of Bro and fully agree with the "leading solution" or "everybody is using it" phrases, I just miss the data that would make it the number one.
I’ve been a part of teams that have sold tons of it to European governments and corporations. Anything the US Department of Defense uses has a great chance of being used across Europe. We train Euro militaries on how to use these tools.
I hear this phrase about many software platforms. That's why I'd like to see some numbers before someone uses an absolute qualifier. I have no idea how popular is Zeek against OSSEC, Suricata or Snort these days, I'm just wary of claiming something without providing any justification.
I think the real issue here is that things like Snort, Suricata, and Zeek are just not very popular as a class of security thingy anymore. Certainly, for the last 10 years or so, I'd have advised most startups I worked with against deploying anything like them. There was, in the long-long-ago, a huge industry debate about whether detection and response was best done in the network or on the endpoint. That debate has been settled: most places deploy EDR, and few places deploy IPS.
Other "fun" fact. I went to a B-Sides conference where one of the higher ups from the Bro Platform talked about how they had to purchase the domain from a fraternity.
Zeek is cool but I always thought Bro was a neat name for a sec product.
Hey at least that’s deniably dishonest. We are tangibly dishonest when we fund a conference in our sector and win best product in the sector every year!
Yeah so Zeek/Bro might be more of an intrusion detection tool, in the vein of snort or suricata, in that it can monitor network traffic and alert on suspicious patterns. It has some things in common with tcpdump or wireshark also, in that it can interpret common protocols for human inspection.
As part of Windows, I would speculate it serves a function similar to something like Little Snitch on macOS, but that’s just a guess. Maybe they have something different in mind.
Yeah more of a OSS network traffic inspector for security monitoring.
I think it ships with IDS rules nowadays, but we see it generally more for manual impl. We see often fed into Splunk or ELK to feed custom detections, and especially enriching context to simplify investigating alerts by detection tools. Its investment into cross-record correlation IDs make graph-based investigations super effective: you can grab all sessions at an impact period and see them fan out across entities, resources, time, etc!
We mostly see it in sec teams in gov + DIY/code-heavy enterprise. Super popular bc those teams have more time to figure out tuned use of the rich low-level data, maybe budget to store it, and OSS means they can avoid the vendor dance.
CoreLight, who we did a popular webinar with awhile back showing how to enable rich visual hunting & investigation for the data by combining with Graphistry, is the biggest dedicated vendor building hw/sw to make it all more manageable at scale. So seeing in Windows is probably big news for their community..
Am I just incredibly cynical today or does this read like dense corporate bullshit and lies from start to finish? I have no idea what the software does but it sounds like network-sniffing, privacy-intruding malware being severely sugarcoated? It even starts out with the clichéd line of being “strongly committed to open-source” coming from a Microsoft executive, who (correct me if I'm wrong) haven't open-sourced Windows. Am I the only one who gets dystopian vibes from this?
Zeek is a network protocol parser used to monitor network activity. It parses protocols such as SMTP, DNS, TLS, HTTP, FTP, File, SSH, etc. and collects metadata about that activity.
Here's some of the DNS fields it extracts as it observes the traffic:
No. It parses that protocol and logs the metadata observed (time, duration, bytes, source IP, destination IP, ports, cert info, etc.)
Edit: I suppose it could be configured to do that. I've used Zeek in several organizations over the last 15 years and I have never seen it used in that way. However, Zeek running on a client computer (not on a cluster being fed from a 100 Gbit tap or SPAN) would be more scalable. And this announcement is about that.
If you have the keys, it looks like it can[1][2] (a contingency is that connections must use `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`) -- it seems like it's basically the same thing as Wireshark (a network packet sniffer for debugging/forensic purposes).
Not sure why everyone on HN is freaking out about it. It's actually pretty annoying to have to install Wireshark (including their capture driver) every time I need to debug over-the-wire network data.
Well I'm not going to pretend all of Microsoft's efforts have gone into being progressively more sleazy, just most of them. 2009 is the year Windows 7 released.
The idea is that Windows 7 was the last release without network-sniffing, privacy-intruding malware (at least, as it came stock from Microsoft, which it did not when preinstalled on a typical PC).
For me it seemed that with Windows 11, Microsoft was attempting to recreate the hypetrain they'd built for Windows 95 -- but without the groundbreaking improvements over the previous version of Windows that Windows 95 had. And the result was just desperate and sad.
Wouldn't the alternative be putting everything behind an airgap and foregoing creature comforts to create parallel infrastructure at great cost? Threat actors don't care about your privacy concerns either.
the details here are insanely thin on the how. is this rolled out to every windows 10/11 os in the next security kb? is this a windows feature that can be enabled by enterprise editing only? do I need defender atp license for it? can I fw the data to my detection engine at my enterprise like normal or does this go to a cloud console in azure somewhere first? is this designed to be available to enterprises, or data to improve Microsoft's defender product?
if ms is getting this data, how the hell can they afford the disk space?! my bro implementation was 250GB/h of disk space for 20k endpoints. I can only fathom what all windows agents would generate.
What I gather and maybe I'm wrong, but it sounds like this is a third party component and not something that is shipped with Windows by default. The post was full of so much BS I had to click off it quickly
That one is easy, having worked with space-constrained data collection myself (not personal data, it's sensor data so no ethical concerns).
You do a "pre-summarization" of the data on the client side, and just send a report to the mothership. Consequence of this is that it will result in using CPU resources of the client - and that explains why the telemetry service eats so much of it on Windows.
There’s some information here on how Defender approaches this (processing data, nothing specific to Zeek) and which talks about the scale — many petabytes of data and trillions of datapoints.
Interestingly you can get access also as small business. Just purchase the Microsoft 365 E5 license. Price is something like 50-70€/month, 12M subscription. This can be convenient, if you have requirements to use this kind of tools from your customers.
And they actually log a lot of stuff. When enabled you can see (on cloud) pretty detailed information on what has happened to workstation.
I had a chance to use Bro a few years back in a network traffic analysis software and the code was fairly bad - global states, no multithreading, weird scripting language (because of which everything was dynamically allocated with measurable overhead). We ended up implementing our own traffic analyzer, during which we found that major protocols implementations in Bro had bugs or failed to detect or parse valid traffic.
I hope they got better over the years, if they want to integrate into such major products...
Well, putting it on the endpoint will actually make scalability much less of an issue and allow them to get away with much more sloppiness. So I'm not optimistic.
They operate in completely different ways, but depending on what you're looking for, you might want to look at Suricata, especially for protocol decoding (a good chunk, especially the decoders, are built on the AMAZING `nom` parser-combinator crate in Rust and super extensible if you want to build your own decoders)
A zero-ruleset (if you're not looking at actual pattern-matching or IDS functionality) deployment of Suri is surprisingly lightweight and performant, and it's also easy to roll rules for your custom decoders as well if you want to actually alert on certain things instead of just doing straight decoding and dumping to JSON
Zeek can produce a lot of data especially with so many endpoints. If you want an open source low cost way to actually analyze all that data in your own cloud data lake, check out/follow https://github.com/matanolabs/matano.
We're gonna be launching managed support for Zeek soon, where you can just dump Zeek logs in S3 and get out normalized Apache Iceberg tables for all ~43 Zeek logs.
Could you please stop posting unsubstantive comments to Hacker News? You've been doing it a lot, unfortunately, and we end up having to ban that sort of account as it's not what this site is for, and it destroys what it is for.
Is "QUANTUM" what we're calling TCP hijacking now? From the Fox-IT presentation, it sure seems like this attack is identical to Joncheray's '95 "Simple Active Attack on TCP", and, like, every TCP hijacking tfile written after that. If that's the case, the reason Suricata and Snort might not detect it is that nobody cares; it's an extraordinarily situational, second-order, and low-impact attack.
Quantum insert is actually rather simpler than that attack. Watch for GET request, passively, then inject a response, racing the web server. The real response arrives a millisecond late and gets dropped as duplicate. No need to desync streams.
If you care then you're already running TLS anyway, and they'd only be able to inject garbage. If you don't run TLS then it's already game over anyway.
If it's what I think it is, it was extremely useful in the mid-1990s, when nothing was encrypted. Today, it's just one of 100 different ways to deliver a browser clientside exploit, and it's far from the most common or effective. But NSA gave it a stupid name, so people think it's important. It is not.
Off-topic curiosity: Zeek was the name of one of the initial high quality (flash) animations [1] I produced before the dot com crash. Afterwards it appeared in the anime oriented TV channel Locomotion [2]. The name was obviously based in the meaning of geek.
> Corelight, the leader in open network detection and response (NDR), today announced the integration of Zeek®, the world’s most popular open source network security monitoring platform,...
How not to write an opener of your press release.
From "the leader", to (r), to "world's most popular" - so much marketing b/s in so few words. It's just awful.
82 comments
[ 476 ms ] story [ 3542 ms ] threadPeople that encountered network security probably know the name "Bro" much better. Apparently they rebranded in 2018.
Wikipedia has the following to say about it:
> Dr. Paxson originally named the software "Bro" as a warning regarding George Orwell's Big Brother from the novel Nineteen Eighty-Four. In 2018 the project leadership team decided to rename the software. At LBNL in the 1990s, the developers ran their sensors as a pseudo-user named “zeek”, thereby inspiring the name change in 2018.
even most of the enterprise solutions sold for network monitoring proudly boast that they use bro under the hood for their stream parsing engine.
I agree, and I'd like to understand the reason why "probably" disappeared from the press release. If you claim something, you should be able to back it up with some numbers, right? I'm a big fan of Bro and fully agree with the "leading solution" or "everybody is using it" phrases, I just miss the data that would make it the number one.
Could your POV be somewhat US-centric?
I hear this phrase about many software platforms. That's why I'd like to see some numbers before someone uses an absolute qualifier. I have no idea how popular is Zeek against OSSEC, Suricata or Snort these days, I'm just wary of claiming something without providing any justification.
Also startups make up almost nothing of the ecosystem. Fortune 1000 and Gov have millions of different departments that have their own requirements.
Zeek is cool but I always thought Bro was a neat name for a sec product.
I wonder how long until Palantir rebrands...
Also the least popular.
I have heard of: Ganglia, nagios, graylog, grafana, science logic and others. And I've used most of them.
As part of Windows, I would speculate it serves a function similar to something like Little Snitch on macOS, but that’s just a guess. Maybe they have something different in mind.
I think it ships with IDS rules nowadays, but we see it generally more for manual impl. We see often fed into Splunk or ELK to feed custom detections, and especially enriching context to simplify investigating alerts by detection tools. Its investment into cross-record correlation IDs make graph-based investigations super effective: you can grab all sessions at an impact period and see them fan out across entities, resources, time, etc!
We mostly see it in sec teams in gov + DIY/code-heavy enterprise. Super popular bc those teams have more time to figure out tuned use of the rich low-level data, maybe budget to store it, and OSS means they can avoid the vendor dance.
CoreLight, who we did a popular webinar with awhile back showing how to enable rich visual hunting & investigation for the data by combining with Graphistry, is the biggest dedicated vendor building hw/sw to make it all more manageable at scale. So seeing in Windows is probably big news for their community..
Here's some of the DNS fields it extracts as it observes the traffic:
https://docs.zeek.org/en/current/scripts/base/protocols/dns/...
Edit: I suppose it could be configured to do that. I've used Zeek in several organizations over the last 15 years and I have never seen it used in that way. However, Zeek running on a client computer (not on a cluster being fed from a 100 Gbit tap or SPAN) would be more scalable. And this announcement is about that.
Here's a nice paper on how Zeek has been configured to monitor fast networks: https://commons.lbl.gov/download/attachments/120063098/100GI...
Not sure why everyone on HN is freaking out about it. It's actually pretty annoying to have to install Wireshark (including their capture driver) every time I need to debug over-the-wire network data.
[1] https://docs.zeek.org/en/current/scripts/policy/protocols/ss...
[2] https://docs.zeek.org/en/current/scripts/base/bif/plugins/Ze...
> I have no idea what the software does but it sounds like network-sniffing, privacy-intruding malware being severely sugarcoated?
It used to be named “Bro” as in “Big Brother”. So yea, it was designed to be very intrusive to privacy concerns.
AKA 80% of Windows development since 2009?
...only that now it's more of a panic attack.
It reads like a press release, because it is. Note the "Press Release" banner at top, and the "About *" blurbs at the bottom.
> Am I the only one who gets dystopian vibes from this?
No, also the tool's founder, which is why he named it Bro, as in Big Brother.
if ms is getting this data, how the hell can they afford the disk space?! my bro implementation was 250GB/h of disk space for 20k endpoints. I can only fathom what all windows agents would generate.
soo many questions around this still
You do a "pre-summarization" of the data on the client side, and just send a report to the mothership. Consequence of this is that it will result in using CPU resources of the client - and that explains why the telemetry service eats so much of it on Windows.
https://techcommunity.microsoft.com/t5/microsoft-defender-fo...
https://customers.microsoft.com/en-us/story/1540745195786192...
Interestingly you can get access also as small business. Just purchase the Microsoft 365 E5 license. Price is something like 50-70€/month, 12M subscription. This can be convenient, if you have requirements to use this kind of tools from your customers.
And they actually log a lot of stuff. When enabled you can see (on cloud) pretty detailed information on what has happened to workstation.
https://github.com/microsoft/ms-zeek
https://zeek.org/
I hope they got better over the years, if they want to integrate into such major products...
A zero-ruleset (if you're not looking at actual pattern-matching or IDS functionality) deployment of Suri is surprisingly lightweight and performant, and it's also easy to roll rules for your custom decoders as well if you want to actually alert on certain things instead of just doing straight decoding and dumping to JSON
We're gonna be launching managed support for Zeek soon, where you can just dump Zeek logs in S3 and get out normalized Apache Iceberg tables for all ~43 Zeek logs.
https://news.ycombinator.com/newsguidelines.html
use the original name, it's much better:
Microsoft Bro
Zeek script: https://github.com/fox-it/bro-scripts
Presentation: https://old.zeek.org/brocon2015/slides/hu_qi_detection.pdf
[1] http://swain.webframe.org/zeek.html
[2] https://en.wikipedia.org/wiki/Locomotion_%28TV_channel%29
[1] https://archive.org/details/ZeektheGeek_1020
How not to write an opener of your press release.
From "the leader", to (r), to "world's most popular" - so much marketing b/s in so few words. It's just awful.