The Open Source Bro IDS Overview and Recent Developments

Transcription

1 The Open Source Bro IDS Overview and Recent Developments Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory Indiana University

2 Outline 2

3 Outline Philosophy and Architecture A framework for network traffic analysis. 2

4 Outline Philosophy and Architecture A framework for network traffic analysis. Usage and Deployment Logs, scripts, communication, cluster. 2

5 Outline Philosophy and Architecture A framework for network traffic analysis. Usage and Deployment Logs, scripts, communication, cluster. Roadmap The Bro world is moving quite rapidly. 2

6 What is Bro? 3

7 What is Bro? Packet Capture 3

8 What is Bro? Packet Capture Traffic Inspection 3

9 What is Bro? Packet Capture Traffic Inspection Attack Detection 3

10 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording 3

11 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording 3

12 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

13 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

14 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

15 What is Bro? Packet Capture Traffic Inspection NetFlow syslog Attack Detection Domain-specific Python Log Recording Flexibility Abstraction Data Structures 3

16 What is Bro? Packet Capture Traffic Inspection Sum is more than the pieces NetFlow syslog Attack Detection Domain-specific Python Log Recording Flexibility Abstraction Data Structures 3

17 Philosophy 4

18 Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. 4

19 Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. Highly stateful Tracks extensive application-layer network state. 4

20 Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. Highly stateful Tracks extensive application-layer network state. Policy-neutral at the core Can accommodate a range of detection approaches. 4

21 Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. Highly stateful Tracks extensive application-layer network state. Policy-neutral at the core Can accommodate a range of detection approaches. Supports forensics Extensively logs what it sees. 4

22 Target Audience 5

23 Target Audience Scientific environments Effective with liberal security policies 5

24 Target Audience Scientific environments Effective with liberal security policies Network-savvy users Requires understanding of your network 5

25 Target Audience Scientific environments Effective with liberal security policies Network-savvy users Requires understanding of your network Unixy mindset Command-line based, fully customizable 5

26 Deployment Internet Internal Network 6

27 Deployment Internet Tap Internal Network Bro 6

28 Deployment Internet Tap Internal Network Bro Commodity platforms Standard PC & NICs, FreeBSD/Linux 6

29 Activity Logs: TCP 7

30 Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. 7

31 Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. > bro -i en0 tcp [... wait...] > cat conn.log 7

32 Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. > bro -i en0 tcp [... wait...] > cat conn.log Time Duration Source Destination \ http tcp SF X Service SPort DPort Proto SrcBytes DstBytes TCPState Local? 7

33 Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. > bro -i en0 tcp [... wait...] > cat conn.log Time Duration Source Destination \ http tcp SF X Service SPort DPort Proto SrcBytes DstBytes TCPState Local? LBNL has connection logs for every connection attempt since June 94! 7

34 Activity Logs: HTTP > cat http.log [...] %2 start :53041 > : %2 GET /index.html (200 "OK" [57634] %2 > HOST: %2 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS %2 > ACCEPT: text/xml,application/xml,application/xhtml %2 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] %2 < SERVER: Apache/ (Unix) mod_fastcgi/ %2 < CACHE-CONTROL: max-age= %2 < EXPIRES: Wed, 12 Apr :18:28 GMT [...] %2 <= 1500 bytes: "<!-- Vignette StoryServer 5.0 Wed Apr..." %2 <= 1500 bytes: "r " r..." %2 <= 1500 bytes: "icon.ico" type="image/ico">^m^j..." %2 <= 1500 bytes: "erver 5.0 Mon Mar 27 15:56:55..." [...] 8

35 Activity Logs: HTTP > cat http.log [...] %2 start :53041 > : %2 GET /index.html (200 "OK" [57634] %2 > HOST: %2 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS %2 > ACCEPT: text/xml,application/xml,application/xhtml %2 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] %2 < SERVER: Apache/ (Unix) mod_fastcgi/ %2 < CACHE-CONTROL: max-age= %2 < EXPIRES: Wed, 12 Apr :18:28 GMT [...] %2 <= 1500 bytes: "<!-- Vignette StoryServer 5.0 Wed Apr..." %2 <= 1500 bytes: "r " r..." %2 <= 1500 bytes: "icon.ico" type="image/ico">^m^j..." %2 <= 1500 bytes: "erver 5.0 Mon Mar 27 15:56:55..." [...] Supported Protocols ARP, UDP, TCP, ICMP BitTorrent, DNS, FTP, Gnutella, HTTP, IRC, NFS, POP3, RPC, SMB, SMTP, SSH, SSL... and more 8

36 Architecture Packets Network 9

37 Architecture Events Protocol Decoding Event Engine Packets Network 9

38 Architecture Logs Notification Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 9

39 Architecture Logs Notification User Interface Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 9

40 Event Model Web Client /4321 Request for /index.html Status OK plus data Web Server /80 10

41 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 10

42 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) 10

43 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) 10

44 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) 10

45 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) Event connection_finished( /4321, /80) 10

46 Script Example: Matching URLs Task: Report all Web requests for files called passwd. Example: http_request( / /80, GET, /index.html ) 11

47 Script Example: Matching URLs Task: Report all Web requests for files called passwd. event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, c, path); # Alarm. } (Syntax simplified.) Example: http_request( / /80, GET, /index.html ) 11

48 Script Example: Matching URLs Task: Task: Report Report all successful all Web Web requests requests for files for called files called passwd. event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, c, path); # Alarm. } (Syntax simplified.) Example: http_request( / /80, GET, /index.html ) 11

49 Script Example: Matching URLs Task: Task: Report Report all successful all Web Web requests requests for files for called files called passwd. global potentially_sensitive: table[connection] of string; event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, potentially_sensitive[c] c, path); = path; # Alarm. # Add to table. } (Syntax simplified.) Example: http_request( / /80, GET, /index.html ) 11

50 Script Example: Matching URLs Task: Task: Report Report all successful all Web Web requests requests for files for called files called passwd. global potentially_sensitive: table[connection] of string; event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, potentially_sensitive[c] c, path); = path; # Alarm. # Add to table. } event http_reply(c: connection, response: int, reason: string) { if ( response == OK && c in potentially_sensitive ) NOTICE(SensitiveURL, c, potentially_sensitive[c]); } (Syntax simplified.) Example: http_request( / /80, GET, /index.html ) 11

51 Script Example: Scan Detector Task: Count failed connection attempts per source address. 12

52 Script Example: Scan Detector Task: Count failed connection attempts per source address. global attempts: table[addr] of int &default=0; event connection_rejected(c: connection) { local source = c$orig_h;! # Get source address. local n = ++attempts[source];! # Increase counter. if ( n == SOME_THRESHOLD )! # Check for threshold. NOTICE(Scanner, source);! # If so, report. } (Syntax simplified.) 12

53 Script Example: Tracking Services Task: Report hosts accepting an SSH connection for the first time 13

54 Script Example: Tracking Services Task: Report hosts accepting an SSH connection for the first time global ssh_hosts: set[addr]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder s address local service = c$id$resp_p; # Responder s port if ( service!= 22/tcp ) return; # Not SSH. if ( responder in ssh_hosts ) return; # We already know this one. } NOTICE(SSHHostFound, responder); # Alarm add ssh_hosts[responder]; # Found a new host (Syntax simplified.) 13

55 Distributed Scripts 14

56 Distributed Scripts Bro comes with >20,000 lines of script Prewritten functionality that can just be loaded 14

57 Distributed Scripts Bro comes with >20,000 lines of script Prewritten functionality that can just be loaded Scripts generate logs and alarms Amendable to customization and extension 14

58 Communication Architecture 15

59 Communication Architecture Bro A Logs Notifications Policy Script Interpreter Events Event Engine Packets Network 15

60 Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter Policy Script Interpreter Events Events Event Engine Event Engine Packets Packets Network Network 15

61 Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter State Operations Policy Script Interpreter Events Events Event Engine Event Engine Packets Packets Network Network 15

62 Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter State Operations Policy Script Interpreter Events Event Stream Events Event Engine Event Engine Packets Packets Network Network 15

63 Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter State Operations Policy Script Interpreter Events Event Stream Events Event Engine Broccoli Event Engine Packets Network External Applications Packets Network 15

64 Load-Balancer Approach Bro 10Gbps Event Engine Packet Analysis Script Interpreter Detection Logic 16

65 External Packet Demultiplexer Load-Balancer Approach Flow Packets Bro 1 Event Engine Script Interpreter Protocol Decoding Analysis Logic 10Gbps Bro 2 Event Engine Script Interpreter Protocol Decoding Analysis Logic Bro 3 Event Engine Script Interpreter Protocol Decoding Analysis Logic 16

66 External Packet Demultiplexer Load-Balancer Approach Flow Packets Bro 1 Event Engine Script Interpreter Protocol Decoding Bro 2 Analysis Logic Communication 10Gbps Event Engine Script Interpreter Protocol Decoding Bro 3 Event Engine Analysis Logic Script Interpreter Communication Protocol Decoding Analysis Logic 16

67 External Packet Demultiplexer Load-Balancer Approach Flow Packets Bro 1 Event Engine Script Interpreter Bro Cluster Protocol Decoding Bro 2 Analysis Logic Communication 10Gbps Event Engine Script Interpreter Protocol Decoding Bro 3 Event Engine Analysis Logic Script Interpreter Communication Protocol Decoding Analysis Logic 16

68 Cluster Challenges 17

69 Cluster Challenges Communication capability required Bro has communication primitives built-in 17

70 Cluster Challenges Communication capability required Bro has communication primitives built-in Management of multi-machine setup is tedious Management interface transparently hides complexity (BroControl) 17

71 Cluster Challenges Communication capability required Bro has communication primitives built-in Management of multi-machine setup is tedious Management interface transparently hides complexity (BroControl) Demultiplexer needs to operate at line-rate A number of solutions, including a commercially available appliance 17

72 UC Berkeley Research Cluster 18

73 UC Berkeley Research Cluster 18

74 UC Berkeley Research Cluster 18

75 Roadmap 19

76 Research Heritage 20

77 Research Heritage Bro development has focused on research We were lacking resources for documentation, polishing, functionality 20

78 Research Heritage Bro development has focused on research We were lacking resources for documentation, polishing, functionality NSF is now funding Bro development Full-time engineers working on user experience and performance Office of Cyberinfrastructure 20

79 Target: Blue NCSA 21

80 Target: Blue NCSA 10 PF/s peak performance >1 PF/s sustained on applications >300,000 cores >1 Petabyte memory >10 Petabyte disk storage >0.5 Exabyte archival storage Hosted in 88,000-square-foot facility 21

81 Next Release 22

82 Next Release Bro 1.6 New build, installation, and test framework. New quick-start guide. Overhauled default policy scripts. Comprehensive script documentation. New interface for extending scripts New logging framework. Code cleanup. Lots of little things fixed. Git repositories. New web server. 22

83 Roadmap 23

84 Roadmap Medium-term Comprehensive user and reference manuals. High-performance binary logging. Integration of external intelligence sources. Improved IPv6 support. New protocols. Database interface. Community script repository. More code cleanup. More things fixed. 23

85 Roadmap Medium-term Comprehensive user and reference manuals. High-performance binary logging. Integration of external intelligence sources. Improved IPv6 support. New protocols. Database interface. Community script repository. More code cleanup. More things fixed. Long-Term Script compilation. Multi-threading. GUI. 23

86 Community 24

87 Community We aim to involve the community more Feedback and contributions welcome! 24

88 Community We aim to involve the community more Feedback and contributions welcome! We can help you getting started Get in touch and ask us! 24

89 Community We aim to involve the community more Feedback and contributions welcome! We can help you getting started Get in touch and ask us! Let us know if you re using Bro Operationally, experimentally, research? 24

90 Summary 25

91 Summary Philosophy and Architecture A Python for Network Traffic Analysis 25

92 Summary Philosophy and Architecture A Python for Network Traffic Analysis Usage and Deployment Activity logs, scripting examples, Bro Cluster 25

93 Summary Philosophy and Architecture A Python for Network Traffic Analysis Usage and Deployment Activity logs, scripting examples, Bro Cluster Roadmap Milestones and community 25

94 Get in Touch Homepage mailman.icsi.berkeley.edu/ mailman/listinfo/bro Development git.bro-ids.org mailman.icsi.berkeley.edu/ mailman/listinfo/bro-dev 26

95 Get in Touch Homepage mailman.icsi.berkeley.edu/ mailman/listinfo/bro Development git.bro-ids.org mailman.icsi.berkeley.edu/ mailman/listinfo/bro-dev Thanks for your attention! 26