I first saw the name "bro" and thought, "ohh geez..." but then I took a look and found this is coming from very serious people. The kind of people that wouldn't make a brogrammer joke.
That paper is from 1999, but Bro probably predates that; I talked to Vern in person about Bro when we wrote our 1998 "Insertion Evasion" paper --- Vern had independently discovered many of the same design flaws we did and captured them in the Bro paper.
Vern Paxson is extraordinarily serious; he was part of the LBL network research group team, alongside Van Jacobsen and Steve McCanne and Sally Floyd. That was one of the most famous network research teams in... well, the history of the Internet.
I hate to say it, but despite their prior claim to the name, today's reality means that the name will be a persistent distraction from the underlying product.
It's not remotely fair, but that doesn't make it untrue. Just ask the diet pill company from the early 1980s that used to advertise "Ayds helps you control your appetite so you lose weight!" Or the many Hindus today who are frustrated that their Swastika earrings get mistaken for an endorsement of Nazism.
Bro culture in tech is a poison, and one of the many crappy things about poison is its tendency to contaminate otherwise harmless things that happen to be nearby.
Are you at all familiar with Bro? Could you, for instance, state some ways that it's different than it's leading open source competitor? (It would also be good if you knew who that was.) Or for that matter any of the innovations that Bro introduced?
If you can, I'll take your argument seriously (although, fair warning, I'll take it seriously long enough to beat it to death with a shovel).
I have not the slightest familiarity with Bro or its competitors, and I wouldn't dream of pretending to. My comment here is entirely from the perspective of an outsider hearing about the project and trying to figure out whether learning more about it could be valuable to me.
I can see at least two very sensible ways in which the concern that I've shared here could be unimportant (and you may see others). I don't even know enough to know to what degree either applies here.
One might be if nobody but an established specialist in the field would ever have a need to assess, use, or contribute to Bro or its competitors. In that case, the negative associations with the name would be unimportant: the specialists would be fully invested in the technical details, and the name wouldn't have any substantial exposure to the broader tech community. (The only cost would be occasional unimportant dust-ups when that exposure happens, as in this case.)
Another might be if there is a good chance that the importance of this project will outlast the public prominence of bro culture in tech. (Given the longevity of Bro to date and the promising backlash against bro culture, that seems quite plausible.) In that case, it might be entirely sensible to just weather the current storm of negative associations and trust that everyone will have forgotten brogrammers in five years. (That's only fully applicable if they really are forgotten, though, rather than being a lingering negative memory.)
You may have other reasonable arguments for setting aside the concerns that I've raised as well. But I do think that occasional undeserved distractions because of the name are inevitable, and I could imagine them being a real problem.
This comment is extremely unproductive. Unfortunately, that's the whole of the response I believe it merits. I'm sure you'll write many useful things elsewhere on the site; this just isn't one of them.
In short, they acknowledge the possible confusion but honestly I think we are getting way too hypersensitive here in America.
Out of curiosity, if everyone saying the word Bro has a negative connotation could state where they are I have a suspicion this is a predominately California thing.
If we keep treating words with such distaste we are basically just practicing a form of newspeak or censorship. Is it possibly deserved? Maybe, but I think we are overreacting here to be honest.
This is an OLD project, saying it should change just to appease the pathos of certain programming communities seems premature.
Yes, seriously. It's just a word, like "sis" or "gal" or "the", and has no inherent negative or positive connotations.
Somebody has invented drama around this word, some other people have bought into it, and now more people are just trying to stir it up again because Hacker News has somehow gone a whole two days without senseless bickering.
So we grow a backbone and tread on, ignoring the people trying to manufacture scandal for their own entertainment or empowerment, or we let one city's subculture control the rights to the English language.
That is, until you get fired from your job for thoughtcrime. Being politically correct and believing/saying the right things is required for employment in the tech industry now.
Perhaps bro is free (unless you spring for commercial support) whereas with snort you may want to pay to subscribe to the filter updates (not certain).
No offense, but it's also extremely inaccurate; that is not a good dividing line to draw between the two projects.
The previous Bro thread had a decent comparison between the two projects.
If I was going to deploy a network IDS/IPS somewhere (spoiler: I wouldn't), it'd be Snort. If I was going to monitor a network in general, or do network monitoring research, I'd use Bro.
Sometime when we're in an unburied thread and I'm not prepping to travel out of the country the next day, I'll be happy to write a couple thousand words on this. But fair warning, I probably won't say anything you wouldn't expect me to say after reading what I wrote about it back in '98 (Google [insertion evasion]).
There's certainly some overlap in functionality - both Snort and Bro support signature-based detections. This type of detection has been around since the 90's and while it works, it has many limitations.
If you have high-quality signatures and detections, Bro will do a great job of protecting your network. It has automation capabilities, so it can e-mail the system administrator about a suspicious download, or even reach out to your firewall and block an IP that's scanning you.
However, Bro makes the important assumption that regardless of how good your detections are, you will miss something. A new 0-day will come out, a chain of seemingly innocuous events will be combined in such a way that results in a compromise, etc. To deal with this, Bro tries to log as much as it can (within reason), so that in the event of a compromise, you can go back and see what a particular host did.
For example, when you visit this page, Bro might log something like:
1) 1.2.3.4 issued a DNS A query for news.ycombinator.com and received a response of 198.41.190.47 with a TTL of 300.
2) 1.2.3.4 issued an HTTP GET request for / and received a response of 200 OK
3) 1.2.3.4 downloaded a file over HTTP named index.html with a MD5 of X and a SHA1 of Y
The extra capabilities this provides is evident when a new attack becomes public. With Snort, you would add a new detection, and would receive alerts going forward. With Bro, you can also ask the question "Have I been attacked with this before?" A good example is the APT1 report from Mandiant which listed suspected Chinese hacker IPs, domain names, SSL certs, etc. All that information is stored in the Bro logs, which enables you to do some post-hoc analysis.
There's a ton of other functionality that I'm ignoring. Examples include: a Turing-complete scripting language for writing complex detections, an intelligence framework to watch for suspicious e-mails, IPs, domains, files, etc. and a files framework which can extract certain file types and send them to other tools for additional analysis.
And the word "bro" means a lot more than just "brogrammer" in the wider world outside of Silicon Valley. It's not necessarily pejorative in all use cases. I think it's fine that this stays "bro". Don't let shitty web magazines dictate the language for the rest of us.
Can we stop pretending this is a controversy in which our opinions about the name matters? Bro has been Bro for almost as much time as the network simulator has been named "ns"; longer, in fact, than Pathchar. Bro simply is its name. There's no discussion to be had about it.
This is an obvious dupe [1]. Submitters: please check for these. It's y
The name is also, as that recent thread made clear, an obvious special case. And bikeshed flamewars are the last thing we need here—or rather two of the last things we need here, squared. If you have nothing substantive to say about a serious piece of work, not commenting at all is a wise choice.
You should happy to note that the name is something we don't bikeshed about within the Bro project. The name is staying. It will far outlast the negativity.
I liked the following comment from the old thread, written by mavam:
===
(Disclaimer: Bro team member)
First, Bro is a Turing-complete scripting language ("the Python for the network") and Snort/Suricata a system centered around regular-expression matching [1]. These two paradigms have fundamentally different levels of expressiveness.
39 comments
[ 3.5 ms ] story [ 89.4 ms ] threadCan anyone explain the name of the project?
http://www.icir.org/vern/papers/bro-CN99.html
The name is short for "big brother" - an Orwell reference.
Vern Paxson is extraordinarily serious; he was part of the LBL network research group team, alongside Van Jacobsen and Steve McCanne and Sally Floyd. That was one of the most famous network research teams in... well, the history of the Internet.
It's not remotely fair, but that doesn't make it untrue. Just ask the diet pill company from the early 1980s that used to advertise "Ayds helps you control your appetite so you lose weight!" Or the many Hindus today who are frustrated that their Swastika earrings get mistaken for an endorsement of Nazism.
Bro culture in tech is a poison, and one of the many crappy things about poison is its tendency to contaminate otherwise harmless things that happen to be nearby.
If you can, I'll take your argument seriously (although, fair warning, I'll take it seriously long enough to beat it to death with a shovel).
Edit: I'm going to leave that typo as is.
I can see at least two very sensible ways in which the concern that I've shared here could be unimportant (and you may see others). I don't even know enough to know to what degree either applies here.
One might be if nobody but an established specialist in the field would ever have a need to assess, use, or contribute to Bro or its competitors. In that case, the negative associations with the name would be unimportant: the specialists would be fully invested in the technical details, and the name wouldn't have any substantial exposure to the broader tech community. (The only cost would be occasional unimportant dust-ups when that exposure happens, as in this case.)
Another might be if there is a good chance that the importance of this project will outlast the public prominence of bro culture in tech. (Given the longevity of Bro to date and the promising backlash against bro culture, that seems quite plausible.) In that case, it might be entirely sensible to just weather the current storm of negative associations and trust that everyone will have forgotten brogrammers in five years. (That's only fully applicable if they really are forgotten, though, rather than being a lingering negative memory.)
You may have other reasonable arguments for setting aside the concerns that I've raised as well. But I do think that occasional undeserved distractions because of the name are inevitable, and I could imagine them being a real problem.
Have you considered the possibility that you're being that distraction and creating that problem?
Go watch a couple of the developers talk about Bro on FLOSS weekly a few weeks ago here: http://twit.tv/show/floss-weekly/296
In short, they acknowledge the possible confusion but honestly I think we are getting way too hypersensitive here in America.
Out of curiosity, if everyone saying the word Bro has a negative connotation could state where they are I have a suspicion this is a predominately California thing.
If we keep treating words with such distaste we are basically just practicing a form of newspeak or censorship. Is it possibly deserved? Maybe, but I think we are overreacting here to be honest.
This is an OLD project, saying it should change just to appease the pathos of certain programming communities seems premature.
If they're going for a Big Brother reference, why not a name like BB or George[Orwell] or something from Newspeak?
Denotatively, it's meaningless. Connotatively, it's turned into a pretty objectionable term, in my opinion.
Somebody has invented drama around this word, some other people have bought into it, and now more people are just trying to stir it up again because Hacker News has somehow gone a whole two days without senseless bickering.
That's not how 'connotation' works.
http://en.wikipedia.org/wiki/Connotation
I choose the former.
http://www.snort.org/vrt/buy-a-subscription
That's a general description and misses a lot of details.
The previous Bro thread had a decent comparison between the two projects.
If I was going to deploy a network IDS/IPS somewhere (spoiler: I wouldn't), it'd be Snort. If I was going to monitor a network in general, or do network monitoring research, I'd use Bro.
If you have high-quality signatures and detections, Bro will do a great job of protecting your network. It has automation capabilities, so it can e-mail the system administrator about a suspicious download, or even reach out to your firewall and block an IP that's scanning you.
However, Bro makes the important assumption that regardless of how good your detections are, you will miss something. A new 0-day will come out, a chain of seemingly innocuous events will be combined in such a way that results in a compromise, etc. To deal with this, Bro tries to log as much as it can (within reason), so that in the event of a compromise, you can go back and see what a particular host did.
For example, when you visit this page, Bro might log something like: 1) 1.2.3.4 issued a DNS A query for news.ycombinator.com and received a response of 198.41.190.47 with a TTL of 300. 2) 1.2.3.4 issued an HTTP GET request for / and received a response of 200 OK 3) 1.2.3.4 downloaded a file over HTTP named index.html with a MD5 of X and a SHA1 of Y
The extra capabilities this provides is evident when a new attack becomes public. With Snort, you would add a new detection, and would receive alerts going forward. With Bro, you can also ask the question "Have I been attacked with this before?" A good example is the APT1 report from Mandiant which listed suspected Chinese hacker IPs, domain names, SSL certs, etc. All that information is stored in the Bro logs, which enables you to do some post-hoc analysis.
There's a ton of other functionality that I'm ignoring. Examples include: a Turing-complete scripting language for writing complex detections, an intelligence framework to watch for suspicious e-mails, IPs, domains, files, etc. and a files framework which can extract certain file types and send them to other tools for additional analysis.
There was a good write-up comparing the two: http://jshlbrd.blogspot.com/2014/04/methods-of-alerting-in-s...
http://www.google.com/about/company/history/ http://www.bro.org/documentation/history.png
The name is also, as that recent thread made clear, an obvious special case. And bikeshed flamewars are the last thing we need here—or rather two of the last things we need here, squared. If you have nothing substantive to say about a serious piece of work, not commenting at all is a wise choice.
1. https://hn.algolia.com/?q=bro+security#!/story/forever/0/bro...
===
(Disclaimer: Bro team member)
First, Bro is a Turing-complete scripting language ("the Python for the network") and Snort/Suricata a system centered around regular-expression matching [1]. These two paradigms have fundamentally different levels of expressiveness.
Second, Bro's core is policy-neutral. [Continued at https://news.ycombinator.com/item?id=7728850].