The Bro Monitoring Platform

Transcription

1 Robin Sommer! International Computer Science Institute, &! Lawrence Berkeley National Laboratory

2 What Is Bro? 2

3 What Is Bro? Packet Capture 2

4 What Is Bro? Packet Capture Traffic Inspection 2

5 What Is Bro? Packet Capture Traffic Inspection Attack Detection 2

6 What Is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording 2

7 What Is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility! Abstraction! Data Structures 2

8 What Is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility! Abstraction! Data Structures 2

9 What Is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility! Abstraction! Data Structures 2

10 What Is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Domain-specific Python Log Recording Flexibility! Abstraction! Data Structures 2

11 The Bro Platform! Platform Apps Intrusion Detection Vulnerabilit. Mgmt File Analysis Programming Language Traffic Measurement Packet Processing Traffic Control Standard Library Compliance Monitoring Tap Network 3

12 The Bro Platform! Open Source BSD License Platform Apps Intrusion Detection Vulnerabilit. Mgmt File Analysis Programming Language Traffic Measurement Packet Processing Traffic Control Standard Library Compliance Monitoring Tap Network 3

13 What Can It Do? Log Files Alerts Custom Logic 4

14 What Can It Do? Log Files Alerts Custom Logic Network Ground Truth 4

15 Bro Logs > bro -i en0! [ wait ] 5

16 Bro Logs > bro -i en0! [ wait ] > ls *.log app_stats.log! communication.log! conn.log! dhcp.log! dns.log! dpd.log! files.log! ftp.log! http.log! irc.log! known_certs.log! known_hosts.log! known_services.log! modbus.log! notice.log! reporter.log! signatures.log! smtp.log! socks.log! software.log! ssh.log! ssl.log! syslog.log! traceroute.log! tunnel.log! weird.log 5

17 Bro Logs > bro -i en0! [ wait ] > cat conn.log #separator \x09! #set_separator,! #empty_field (empty)! #unset_field -! #path conn! #open ! #fields ts uid id.orig_h id.orig_p id.resp_h [ ]! #types time string addr port addr [ ]! arkyemetxog [ ]! nqcgtwjvg4c [ ]! j4u32pc5bif [ ]! k6kgxlooskl [ ]! TEfuqmmG4bh [ ]! OKnoww6xl [ ]! FrJExwHcSal [ ]! PKsZ2Uye [ ]! [ ] 5

18 Connections Logs conn.log ts Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h Originator IP id.orig_p Originator Port id.resp_h Responder IP id.resp_p 25 Responder Port proto tcp IP Protocol service smtp App-layer Protocol duration Duration orig_bytes 9068 Bytes by Originator resp_bytes 4450 Bytes by Responder conn_state SF TCP state local_orig T Local Originator? missed_bytes 0 Gaps history ShAdDaFf State History tunnel_parents (empty) Outer Tunnels 6

19 HTTP http.log ts uid CKFUW73bIADw0r9pl id.orig_h id.orig_p id.resp_h id.resp_p 80 method POST host com-services.pandonetworks.com uri /soapservices/services/sessionstart referrer - user_agent Mozilla/4.0 (Windows; U) Pando/ status_code 200 username anonymous password - orig_mime_types application/xml resp_mime_types application/xml 7

20 SSL ssl.log ts uid id.orig_h CEA05l2D7k0BD9Dda2 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 443 version cipher TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA server_name CN= subject O=Netflix, Inc.,L=Los Gatos,! ST=CALIFORNIA,C=US issuer_subject CN=VeriSign Class 3 Secure Server CA,! OU=VeriSign Trust Network,O=VeriSign, C=US not_valid_before not_valid_after client_subject - client_issuer_subject - cert_hash validation_status 197cab7c6c92a0b9ac5f37cfb ok 8

21 Syslog & DHCP syslog.log ts uid CnYivt3Z0NHOuBALR8 id.orig_h id.orig_p 514 id.resp_h id.resp_p 514 proto facility severity message udp AUTHPRIV INFO sshd[13825]: Accepted publickey for! harvest from xxx.xxx.xxx.xxx 9

22 Syslog & DHCP syslog.log dhcp.log ts uid CnYivt3Z0NHOuBALR8 id.orig_h id.orig_p 514 id.resp_h id.resp_p 514 proto facility severity message udp AUTHPRIV INFO sshd[13825]: Accepted publickey for! harvest from xxx.xxx.xxx.xxx ts uid Ci3RM24iF4vIYRGHc3 id.orig_h id.resp_h mac 04:12:38:65:fa:68 assigned_ip lease_time

23 Files files.log ts fuid FnungQ3TI19GahPJP2 tx_hosts rx_hosts conn_uids CbDgik2fjeKL5qzn55 source SMTP analyzers SHA1,MD5 mime_type application/x-dosexec filename Letter.exe duration local_orig T seen_bytes md5 93f7f5e7a e06e[ ]1085bfcfb sha1 daed94a5662a920041be[ ]a433e501646ef6a03 extracted - 10

24 Software software.log ts host host_p - software_type name version.major 2 version.minor 4 DropboxDesktopClient version.minor2 11 version.minor3 - version.addl unparsed_version Windows DropboxDesktopClient/2.4.11! (Windows; 8; i32; en_us) 11

25 Help Understand Your Network Top File Types application/octet-stream text/html text/plain application/xml application/x-shockwave-flash application/pdf image/gif image/png image/jpeg cat files.log bro-cut mime_type sort uniq -c sort -rn 12

26 Help Understand Your Network (2) Top Software by Number of Hosts Firefox CaptiveNetworkSupport MSIE Safari DropboxDesktopClient GoogleUpdate ocspd Windows-Update-Agent Microsoft-CryptoAPI Chrome cat software.log bro-cut host name sort uniq! awk -F '\t' '{print $2}' sort uniq -c sort -rn 13

27 What Can It Do? Log Files Alerts Custom Logic 14

28 What Can It Do? Log Files Alerts Custom Logic Watch this!! Recorded in notice.log. Can trigger actions. 14

29 Alerts CaptureLoss::Too_Much_Loss! Conn::Ack_Above_Hole! Conn::Content_Gap! Conn::Retransmission_Inconsistency! DNS::External_Name! FTP::Bruteforcing! FTP::Site_Exec_Success! Intel::Notice! PacketFilter::Dropped_Packets! ProtocolDetector::Protocol_Found! ProtocolDetector::Server_Found! SMTP::Blocklist_Blocked_Host! SMTP::Blocklist_Error_Message! SMTP::Suspicious_Origination! SSH::Interesting_Hostname_Login! SSH::Login_By_Password_Guesser! SSH::Password_Guessing! SSH::Watched_Country_Login! SSL::Certificate_Expired! SSL::Certificate_Expires_Soon! SSL::Certificate_Not_Valid_Yet! SSL::Invalid_Server_Cert! Scan::Address_Scan! Scan::Port_Scan! Signatures::Count_Signature! Signatures::Multiple_Sig_Responders! Signatures::Multiple_Signatures! Signatures::Sensitive_Signature! Software::Software_Version_Change! Software::Vulnerable_Version! TeamCymruMalwareHashRegistry::Match! Traceroute::Detected! Weird::Activity 15

30 Watching for Suspicious Logins SSH::Watched_Country_Login!! Login from an unexpected country. 16

31 Watching for Suspicious Logins SSH::Watched_Country_Login!! Login from an unexpected country. SSH::Interesting_Hostname_Login!! Login from an unusual host name. smtp.supercomputer.edu 16

32 Intelligence Integration (Passive) Internet Enterprise Network 17

33 Intelligence Integration (Passive) Internet Enterprise Network Intelligence IP addresses DNS names URLs File hashes Traffic Monitoring HTTP, FTP, SSL, SSH, FTP, DNS, SMTP, Feeds CIF JC3 Spamhaus Custom/Proprietary 17

34 Intelligence Integration (Passive) Internet Enterprise Network Intelligence IP addresses DNS names URLs File hashes Feeds CIF JC3 Spamhaus Custom/Proprietary ts uid CAK677xaOmi66X4Th id.orig_h id.resp_h note indicator indicator_type notice.log Intel::Notice baddomain.com Intel::DOMAIN where!! source Traffic Monitoring HTTP, FTP, SSL, SSH, FTP, DNS, SMTP, My-Private-Feed 17

35 Intelligence Integration (Passive) Internet Enterprise Network Conn::IN_ORIG! Conn::IN_RESP! Intelligence Files::IN_HASH! Files::IN_NAME! DNS::IN_REQUEST! IP addresses DNS::IN_RESPONSE! DNS names URLs File hashes Feeds SMTP::IN_MAIL_FROM! SMTP::IN_RCPT_TO! SMTP::IN_FROM! CIF SMTP::IN_TO! SMTP::IN_RECEIVED_HEADER! JC3 SMTP::IN_REPLY_TO! Spamhaus SMTP::IN_X_ORIGINATING_IP_HEADER! Custom/Proprietary SMTP::IN_MESSAGE! SSL::IN_SERVER_CERT! SSL::IN_CLIENT_CERT! SSL::IN_SERVER_NAME! SMTP::IN_HEADER ts uid CAK677xaOmi66X4Th id.orig_h id.resp_h note indicator indicator_type notice.log Intel::Notice baddomain.com Intel::DOMAIN where!! source Traffic Monitoring HTTP, FTP, SSL, SSH, FTP, DNS, SMTP, My-Private-Feed 17

36 Intelligence Integration (Active) 18

37 Intelligence Integration (Active) # cat files.log bro-cut mime_type sha1 awk '$1 ~ /x-dosexec/! application/x-dosexec 5fd2f e2f6c593d6ec7ae882c9ab54! application/x-dosexec 00c69013d34601c2174b72c9249a da93a! application/x-dosexec 0d801726d49377bfe989dcca7753a62549f1ddda! [ ] 18

38 Intelligence Integration (Active) # cat files.log bro-cut mime_type sha1 awk '$1 ~ /x-dosexec/! application/x-dosexec 5fd2f e2f6c593d6ec7ae882c9ab54! application/x-dosexec 00c69013d34601c2174b72c9249a da93a! application/x-dosexec 0d801726d49377bfe989dcca7753a62549f1ddda! [ ] # dig +short 733a48a9cb4[ ]2a91e8d00.malware.hash.cymru.com TXT! " " 18

39 Intelligence Integration (Active) # cat files.log bro-cut mime_type sha1 awk '$1 ~ /x-dosexec/! application/x-dosexec 5fd2f e2f6c593d6ec7ae882c9ab54! application/x-dosexec 00c69013d34601c2174b72c9249a da93a! application/x-dosexec 0d801726d49377bfe989dcca7753a62549f1ddda! [ ] # dig +short 733a48a9cb4[ ]2a91e8d00.malware.hash.cymru.com TXT! " " notice.log ts Timestamp uid CjKeSB45xaOmiIo4Th Connection ID id.orig_h Originator IP id.resp_h Responder IP fuid! FEGVbAgcArRQ49347 File ID mime_type!!! application/jar MIME type description ] Source URL Bro saw note!! TeamCymruMalwareHashRegistry::Match Notice Type msg :06:51 / 20% MHR reply sub ] VirusTotal URL 18

40 What Can It Do? Log Files Alerts Custom Logic 19

41 What Can It Do? Log Files Alerts Custom Logic Don t ask what Bro can do. Ask what you want it to do. 19

42 Script Example: Matching URLs Task: Report all Web requests for files called passwd. 20

43 Script Example: Matching URLs Task: Report all Web requests for files called passwd.! event http_request(c: connection, # Connection.! method: string, # HTTP method.! original_uri: string, # Requested URL.! unescaped_uri: string, # Decoded URL.! version: string) # HTTP version.! {! if ( method == "GET" && unescaped_uri == /.*passwd/ )! NOTICE(...); # Alarm.! } 20

44 Script Example: Scan Detector Task: Count failed connection attempts per source address. 21

45 Script Example: Scan Detector Task: Count failed connection attempts per source address. global attempts: table[addr] of count &default=0;!! event connection_rejected(c: connection)! {! local source = c$id$orig_h; # Get source address.!! local n = ++attempts[source]; # Increase counter.!! if ( n == SOME_THRESHOLD ) # Check for threshold.! NOTICE(...); # Alarm.! } 21

46 Scripts are Bro s Magic Ingredient Bro comes with >10,000 lines of script code.! Prewritten functionality that s just loaded.! Scripts generate everything we have seen.! Amendable to extensive customization and extension.! Growing community writing 3rd party scripts.! Bro could report Mandiant s APT1 indicators within a day.! 22

47 Bro Ecosystem 23

48 Bro Ecosystem Internet Tap Internal Network Bro 24

49 Bro Ecosystem Internet Tap Internal Network Bro Control Output BroControl User Interface 24

50 Bro Ecosystem Internet Tap Internal Network External Scripts Functionality Bro Control Output BroControl User Interface 24

51 Bro Ecosystem Internet Tap Internal Network External Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface 24

52 Bro Ecosystem Internet Tap Internal Network External Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli 24

53 Bro Ecosystem Internet Tap Internal Network External Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 24

54 Bro Ecosystem Time Machine Internet Tap Tap Internal Network External Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 24

55 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Network! Control External Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 24

56 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Network! Control External Scripts Functionality Bro Events State Other Bros Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary bro-cut Broccoli Broccoli Ruby User Interface (Broccoli Perl) 24

57 Bro Ecosystem Bro Distribution!! bro-2.2.tar.gz Internet Tap Time Machine Tap Internal Network Network! Control External Scripts Functionality Bro Events State Other Bros Control Output bro-aux BTest BinPAC tracesummary capstats bro-cut BroControl Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 24

58 Bro Cluster Ecosystem Internet Tap Internal Network External Scripts Functionality Bro Events State External Bro Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 25

59 Bro Cluster Ecosystem Internet Tap Internal Network External Scripts Functionality Bro Events State External Bro Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 25

60 Bro Cluster Ecosystem Internet Tap Load- Balancer Internal Network External Scripts Functionality Bro Events State External Bro Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 25

61 Bro Cluster Ecosystem Internet Tap Internal Network Packets Load- Balancer External Scripts Functionality Bro Bro Bro Bro Bro Events State External Bro Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 25

62 Bro Cluster Ecosystem Internet Tap Internal Network Packets Load- Balancer External Scripts Functionality Bro Bro Bro Bro Bro Events State External Bro Control Control Output BroControl Output Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 25

63 Bro Cluster Ecosystem Internet Tap Internal Network Packets Load- Balancer Frontend External Scripts Functionality Bro Bro Bro Bro Bro Workers Events State External Bro Control Control Output Manager BroControl Output Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 25

64 So much more 26

65 Bro is a Platform Intrusion Detection Vulnerabilit. Mgmt File Analysis Traffic Measurement Traffic Control Compliance Monitoring There s much more I could talk about Host-level integration Data import and export Automatic Reaction Monitoring Internal Networks Measurements SDN integration Industrial Control Systems Embedded Devices Current Research More File Analysis More Protocols More File Analysis 100Gb/s Networks Enterprise Protocols Summary Statistics Science DMZs ICSL SSL Notary Cluster Deployment 27

66 The U.S. National Science Foundation has enabled much of this work. Bro is coming out of almost two decades of academic research, along with extensive transition to practice efforts. NSF has supported much of that, and is currently funding a Bro Center of Expertise at the International Computer Science Institute and the National Center for Supercomputing Applications. The Bro Project! Commercial Support! 28

67 9/9/12 The U.S. National Science Foundation has enabled much of this work. Bro is coming out of almost two decades of academic research, along with extensive transition to practice efforts. NSF has supported much of that, and is currently funding a Bro Center of Expertise at the International Computer Science Institute and the National Center for Supercomputing Applications. The Bro Project! Commercial Support! 28

68 The End 29

69 Bro History Vern writes 1st line of code! Bro Center!

70 Bro History Vern writes 1st line of code! LBNL starts using Bro! operationally v0.2! 1st CHANGES! entry! v0.4 HTTP analysis! Scan detector! IP fragments Linux support! v0.6! RegExps! Login analysis!! v0.7a90! Profiling! State Mgmt v0.7a175/0.8ax! Signatures! SMTP! IPv6 support! User manual!! v0.8ax/0.9ax SSL/SMB! STABLE releases! BroLite v1.1/v1.2! when Stmt! Resource tuning! Broccoli! DPD! v1.0! BinPAC! IRC/RPC analyzers! 64-bit support! Sane version numbers! v1.5! BroControl! v1.4! DHCP/BitTorrent! HTTP entities! NetFlow! Bro Lite Deprecated! Bro SDCI! v2.0! New Scripts v2.2! File Analysis! Summary Stat. v2.1! IPv6! Input Framew. Bro Center! v0.7a48! Consistent CHANGES 0.8a37! Communication! Persistence! Namespaces! v1.3! Ctor expressions! GeoIP! Conn Compressor Log Rotation

71 Bro History Host Context! Time Machine! Enterprise Traffic TRW State Mgmt.! Independ. State! Bro Cluster Shunt Academic Publications USENIX Paper! Stepping Stone Detector! Anonymizer Active Mapping! Context Signat.! BinPAC! DPD! 2nd Path Parallel Prototype Autotuning Input Framework Vern writes 1st line of code! LBNL starts using Bro! operationally v0.2! 1st CHANGES! entry! v0.4 HTTP analysis! Scan detector! IP fragments Linux support! v0.6! RegExps! Login analysis!! v0.7a90! Profiling! State Mgmt v0.7a175/0.8ax! Signatures! SMTP! IPv6 support! User manual!! v0.8ax/0.9ax SSL/SMB! STABLE releases! BroLite v1.1/v1.2! when Stmt! Resource tuning! Broccoli! DPD! v1.0! BinPAC! IRC/RPC analyzers! 64-bit support! Sane version numbers! v1.5! BroControl! v1.4! DHCP/BitTorrent! HTTP entities! NetFlow! Bro Lite Deprecated! Bro SDCI! v2.0! New Scripts v2.2! File Analysis! Summary Stat. v2.1! IPv6! Input Framew. Bro Center! v0.7a48! Consistent CHANGES 0.8a37! Communication! Persistence! Namespaces! v1.3! Ctor expressions! GeoIP! Conn Compressor Log Rotation

72 Load-balancing Architecture The Bro UW Monitoring MadisonPlatform 31

73 Load-balancing Architecture NIDS 10Gbps Packet Analysis Detection Logic The Bro UW Monitoring MadisonPlatform 31

74 External Packet Load-Balancer! Load-balancing Architecture Flows NIDS 1 Packet Analysis Detection Logic 10Gbps NIDS 2 Packet Analysis Detection Logic NIDS 3 Packet Analysis Detection Logic The Bro UW Monitoring MadisonPlatform 31

75 External Packet Load-Balancer! Load-balancing Architecture Flows NIDS 1 Packet Analysis Detection Logic 10Gbps NIDS 2 Packet Analysis Detection Logic Communication NIDS 3 Packet Analysis Detection Logic Communication The Bro UW Monitoring MadisonPlatform 31

76 External Packet Load-Balancer! Load-balancing Architecture Flows NIDS 1 Packet Analysis Detection Logic Bro Cluster 10Gbps NIDS 2 Packet Analysis Detection Logic Communication NIDS 3 Packet Analysis Detection Logic Communication The Bro UW Monitoring MadisonPlatform 31

77 ototype Science DMZ Science DMZs Border Router Enterprise Border Router/Firewall WAN 100G 10G 10GE perfsonar Clean, High-bandwidth WAN path 10GE Site / Campus access to Science DMZ resources Science DMZ Switch/Router 10GE Site / Campus LAN 10/100G 10GE High performance Data Transfer Node with high-speed storage Per-service security policy control points perfsonar Source: ESNet The Bro UW Monitoring MadisonPlatform 32

78 ototype Science DMZ Science DMZs Border Router Enterprise Border Router/Firewall WAN 100G 10G 10GE perfsonar Clean, High-bandwidth WAN path 10GE Site / Campus access to Science DMZ resources Science DMZ Switch/Router 10GE Site / Campus LAN 10/100G 10GE High performance Data Transfer Node with high-speed storage Per-service security policy control points perfsonar Source: ESNet The Bro UW Monitoring MadisonPlatform 32

79 ototype Science DMZ Science DMZs Border Router Enterprise Border Router/Firewall WAN 100G 10G 10GE perfsonar Clean, High-bandwidth WAN path 10GE Site / Campus access to Science DMZ resources Science DMZ Switch/Router 10GE Site / Campus LAN 10/100G 10GE High performance Data Transfer Node with high-speed storage Per-service security policy control points perfsonar Source: ESNet The Bro UW Monitoring MadisonPlatform 32

80 100 Gb/s Cluster Border Router 100GE 100G Load-balancer The Bro UW Monitoring MadisonPlatform

81 100 Gb/s Cluster Border Router 100GE 100G Load-balancer 10GE The Bro UW Monitoring MadisonPlatform

82 100 Gb/s Cluster Border Router 100GE 100G Load-balancer 10GE Bro Cluster The Bro UW Monitoring MadisonPlatform

83 100 Gb/s Cluster Border Router 100GE 100G Load-balancer API 10GE Control Bro Cluster The Bro UW Monitoring MadisonPlatform

84 100 Gb/s Cluster Science DMZ Switch API Border Router 100GE 100G Load-balancer API 10GE Control Control Bro Cluster The Bro UW Monitoring MadisonPlatform

85 Event Model Web Client / /4321 Request for /index.html Status OK plus data Web Server /80 The Bro UW Monitoring MadisonPlatform 34

86 Event Model Web Client / / Stream of TCP packets Request for /index.html Status OK plus data... SYN SYN ACK ACK ACK ACK FIN FIN Web Server /80 The Bro UW Monitoring MadisonPlatform 34

87 Event Model Web Client / / Stream of TCP packets Request for /index.html Status OK plus data... SYN SYN ACK ACK ACK ACK FIN FIN Web Server /80 Event connection_established( / /80) The Bro UW Monitoring MadisonPlatform 34

88 Event Model Web Client / / Stream of TCP packets Request for /index.html Status OK plus data... SYN SYN ACK ACK ACK ACK FIN FIN Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) The Bro UW Monitoring MadisonPlatform 34

89 Event Model Web Client / / Stream of TCP packets Request for /index.html Status OK plus data... SYN SYN ACK ACK ACK ACK FIN FIN Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) The Bro UW Monitoring MadisonPlatform 34

90 Event Model Web Client / / Stream of TCP packets Request for /index.html Status OK plus data... SYN SYN ACK ACK ACK ACK FIN FIN Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) Event connection_finished( /4321, /80) The Bro UW Monitoring MadisonPlatform 34