The Bro Network Security Monitor. Broverview
|
|
- Moses Wilkins
- 8 years ago
- Views:
Transcription
1 The Bro Network Security Monitor Broverview
2 Outline 2
3 Outline Philosophy and Architecture A framework for network traffic analysis. 2
4 Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. 2
5 Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. Architecture Components, logs, scripts, cluster. 2
6 What is Bro? 3
7 What is Bro? Packet Capture 3
8 What is Bro? Packet Capture Traffic Inspection 3
9 What is Bro? Packet Capture Traffic Inspection Attack Detection 3
10 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording 3
11 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3
12 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3
13 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3
14 What is Bro? Packet Capture Traffic Inspection Attack Detection Domain-specific Python NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3
15 What is Bro? Packet Capture Sum is more than the pieces Traffic Inspection Attack Detection Domain-specific Python NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3
16 Philosophy 4
17 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. 4
18 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. 4
19 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. 4
20 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. 4
21 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. Supports forensics. Extensively logs what it sees. 4
22 Target Audience 5
23 Target Audience Network-savvy users. Requires understanding of your network. 5
24 Target Audience Network-savvy users. Requires understanding of your network. Unixy mindset. Command-line based, fully customizable. 5
25 Target Audience Network-savvy users. Requires understanding of your network. Unixy mindset. Command-line based, fully customizable. Large-scale environments. Effective also with liberal security policies. 5
26 Bro History Vern writes 1st line of code 6
27 Bro History Vern writes 1st line of code v0.2 1st CHANGES entry v0.6 RegExps Login analysis v0.7a90 Profiling State Mgmt v0.8ax/0.9ax SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning Broccoli DPD v1.5 BroControl Bro SDCI v2.0 New Scripts v2.1 IPv6 Input Framew. v2.2 (beta) File Analysis Summary Stat. LBNL starts using Bro operationally v0.4 HTTP analysis Scan detector IP fragments Linux support v0.7a175/0.8ax Signatures SMTP IPv6 support User manual v1.0 BinPAC IRC/RPC analyzers 64-bit support Sane version numbers v1.4 DHCP/BitTorrent HTTP entities NetFlow Bro Lite Deprecated v0.7a48 Consistent CHANGES 0.8a37 Communication Persistence Namespaces Log Rotation v1.3 Ctor expressions GeoIP Conn Compressor 6
28 Bro History TRW State Mgmt. Independ. State Host Context Time Machine Enterprise Traffic Bro Cluster Shunt Academic Publications USENIX Paper Stepping Stone Detector Anonymizer Active Mapping Context Signat. BinPAC DPD 2nd Path Autotuning Parallel Prototype Input Framework Vern writes 1st line of code v0.2 1st CHANGES entry v0.6 RegExps Login analysis v0.7a90 Profiling State Mgmt v0.8ax/0.9ax SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning Broccoli DPD v1.5 BroControl Bro SDCI v2.0 New Scripts v2.1 IPv6 Input Framew. v2.2 (beta) File Analysis Summary Stat. LBNL starts using Bro operationally v0.4 HTTP analysis Scan detector IP fragments Linux support v0.7a175/0.8ax Signatures SMTP IPv6 support User manual v1.0 BinPAC IRC/RPC analyzers 64-bit support Sane version numbers v1.4 DHCP/BitTorrent HTTP entities NetFlow Bro Lite Deprecated v0.7a48 Consistent CHANGES 0.8a37 Communication Persistence Namespaces Log Rotation v1.3 Ctor expressions GeoIP Conn Compressor 6
29 Who s Using It? Installations across the US Universities Research Labs Supercomputer Centers Fortune 50 Industry Examples Lawrence Berkeley National Lab Indiana University National Center for Supercomputing Applications National Center for Atmospheric Research... and many more sites Fully integrated into Security Onion Popular security-oriented Linux distribution Recent User Meetings Bro Workshop 2011 at NCSA Bro Exchange 2012 at NCAR Bro Exchange 2013 at NCSA Each attended by about operators from from organizations 7
30 Deployment Internet Internal Network 8
31 Deployment Internet Tap Internal Network Bro 8
32 Deployment Internet Tap Internal Network Bro Runs on commodity platforms.! Standard PCs & NICs. Supports FreeBSD/Linux/OS X. 8
33 Creating Visibility with Bro 9
34 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log 9
35 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http tcp http tcp http tcp http tcp http
36 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http tcp http tcp http tcp http tcp http > cat http.log 9
37 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http tcp http tcp http tcp http tcp http > cat http.log #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] docs.python.org /lib/lib.css 200 Mozilla/ docs.python.org /icons/previous.png 304 Mozilla/ docs.python.org /lib/lib.html 200 Mozilla/ docs.python.org /icons/up.png 304 Mozilla/ docs.python.org /icons/next.png 304 Mozilla/ docs.python.org /icons/contents.png 304 Mozilla/ docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /icons/index.png 304 Mozilla/ / 200 Mozilla/5.0 9
38 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http [...] host uri status_code 80 tcp user_agent http [...] docs.python.org /lib/lib.css tcp Mozilla/5.0 http tcp http docs.python.org /icons/previous.png tcp Mozilla/5.0 http docs.python.org /lib/lib.html 200 Mozilla/5.0 > cat docs.python.org http.log /icons/up.png 304 Mozilla/5.0 docs.python.org /icons/next.png 304 Mozilla/5.0 #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] docs.python.org /icons/contents.png docs.python.org /lib/lib.css Mozilla/5.0 Mozilla/ docs.python.org /icons/previous.png 304 docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /lib/lib.html 200 Mozilla/ docs.python.org /icons/index.png docs.python.org /icons/up.png Mozilla/ docs.python.org /icons/next.png 304 Mozilla/ / docs.python.org /icons/contents.png Mozilla/5.0 Mozilla/ docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /icons/index.png 304 Mozilla/ / 200 Mozilla/5.0 9
39 Architecture Packets Network 10
40 Architecture Events Protocol Decoding Event Engine Packets Network 10
41 Architecture Logs Notification Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 10
42 Architecture Logs Notification User Interface Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 10
43 Event Model Web Client /4321 Request for /index.html Status OK plus data Web Server /80 11
44 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 11
45 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) 11
46 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) 11
47 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) 11
48 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) Event connection_finished( /4321, /80) 11
49 Script Example: Matching URLs Task: Report all Web requests for files called passwd. 12
50 Script Example: Matching URLs Task: Report all Web requests for files called passwd. event http_request(c: connection, # Connection. method: string, # HTTP method. original_uri: string, # Requested URL. unescaped_uri: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_uri == /.*passwd/ ) NOTICE(...); # Alarm. } 12
51 Script Example: Scan Detector Task: Count failed connection attempts per source address. Bro Workshop
52 Script Example: Scan Detector Task: Count failed connection attempts per source address. global attempts: table[addr] of count &default=0; event connection_rejected(c: connection) { local source = c$id$orig_h; # Get source address. local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NOTICE(...); # Alarm. } Bro Workshop
53 Distributed Scripts 14
54 Distributed Scripts Bro comes with >10,000 lines of script code. Prewritten functionality that s just loaded. 14
55 Distributed Scripts Bro comes with >10,000 lines of script code. Prewritten functionality that s just loaded. Scripts generate alarms and logs. Amendable to extensive customization and extension. 14
56 Bro comes with support for... The Bro Network Security Monitor 15
57 Bro comes with support for... Extract files from HTTP, SMTP, etc. Extract/monitor SSL certificates. Detect malware via Team Cymru's Malware Hash Registry. Report vulnerable software versions on the network. Detect popular web applications. Detect SSH brute-forcing. Notable external scripts: Bro module for Mandiant APT1 report Lucky 13 detector. ICSI SSL notary The Bro Network Security Monitor 15
58 Bro Ecosystem Internet Tap Internal Network Bro 16
59 Bro Ecosystem Internet Tap Internal Network Bro Control Output BroControl User Interface 16
60 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Control Output BroControl User Interface 16
61 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface 16
62 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli 16
63 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 16
64 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 16
65 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 16
66 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) git://git.bro-ids.org 16
67 Bro Ecosystem Time Machine Bro Distribution bro-2.1.tar.gz Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output bro-aux BTest BinPAC tracesummary capstats BroControl Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) git://git.bro-ids.org 16
68 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State External Bro Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17
69 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State External Bro Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17
70 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Load- Balancer Contributed Scripts Functionality Bro Events State External Bro Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17
71 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Packets Load- Balancer Contributed Scripts Functionality Bro Bro Bro Bro Bro Events State External Bro Control Output bro-aux BTest BinPAC tracesummary capstats BroControl Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17
72 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Packets Load- Balancer Contributed Scripts Functionality Bro Bro Bro Bro Bro Events State External Bro bro-aux BTest BinPAC tracesummary capstats Control Control Output BroControl Output Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17
73 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Packets Load- Balancer Frontend Contributed Scripts Functionality Bro Bro Bro Bro Bro Workers Events State External Bro bro-aux BTest BinPAC tracesummary capstats Control Control Output Manager BroControl Output Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17
The Bro Network Security Monitor. Broverview. Bro Workshop 2011. NCSA, Urbana-Champaign, IL. Bro Workshop 2011
The Bro Network Security Monitor Broverview NCSA, Urbana-Champaign, IL Outline 2 Outline Philosophy and Architecture A framework for network traffic analysis. 2 Outline Philosophy and Architecture A framework
More informationThe Open Source Bro IDS Overview and Recent Developments
The Open Source Bro IDS Overview and Recent Developments Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin
More informationThe Bro Monitoring Platform
Robin Sommer! International Computer Science Institute, &! Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin What Is Bro? 2 What Is Bro? Packet Capture 2 What Is Bro?
More informationThe Bro Network Security Monitor
Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin What is Bro? 2 What is Bro? Packet Capture 2 What is Bro?
More informationThe Bro Monitoring Platform
Adam Slagell National Center for Supercomputing Applications Borrowed from Robin Sommer International Computer Science Institute What Is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow
More informationThe Bro Monitoring Platform
Robin Sommer! International Computer Science Institute, &! Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin What Is Bro? Packet Capture Traffic Inspection Attack
More informationThe Bro Network Intrusion Detection System
The Bro Network Intrusion Detection System Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org System Philosophy Bro
More informationThe Bro Monitoring Platform
Robin Sommer! International Computer Science Institute, &! Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin What Is Bro? 2 What Is Bro? Packet Capture 2 What Is Bro?
More informationAn Overview of the Bro Intrusion Detection System
An Overview of the Bro Intrusion Detection System Brian L. Tierney, Vern Paxson, James Rothfuss Lawrence Berkeley National Laboratory Typical Approach: Firewall with default deny policy A blocking router
More informationFlow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis
Flow-level analysis: wireshark and Bro Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis 1 wireshark tshark Network packet analyzer for Unix/Windows Displays detailed packet stats GUI (wireshark) or command-line
More informationMonitoring Network Security with the Open-Source Bro NIDS
Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National Laboratory & International Computer Science Institute rsommer@lbl.gov http://www.icir.org at Jefferson
More informationHigh-Performance Network Security Monitoring at the Lawrence Berkeley National Lab
High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for Monitoring External and Internal Activity Robin Sommer Lawrence Berkeley National Laboratory & International
More informationA Bro Walk-Through. Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory
A Bro Walk-Through Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org Doing the Walk-Through... Going from simple
More informationHow To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On
Michel Laterman We have a monitor set up that receives a mirror from the edge routers Monitor uses an ENDACE DAG 8.1SX card (10Gbps) & Bro to record connection level info about network usage Can t simply
More informationHow to (passively) understand the application layer? Packet Monitoring
How to (passively) understand the application layer? Packet Monitoring 1 What to expect? Overview / What is packet monitoring? How to acquire the data Handling performance bottlenecks Analyzing the transport
More informationBro at 10 Gps: Current Testing and Plans
U.S. Department of Energy Bro at 10 Gps: Current Testing and Plans Office of Science Brian L. Tierney Lawrence Berkeley National Laboratory Bro s Use at LBL Operational 24 7 since 1996 Monitors traffic
More informationHands-on Network Traffic Analysis. 2015 Cyber Defense Boot Camp
Hands-on Network Traffic Analysis 2015 Cyber Defense Boot Camp What is this about? Prerequisite: network packet & packet analyzer: (header, data) Enveloped letters inside another envelope Exercises Basic
More informationIntroduction. Background
Introduction Bro is an open-source network security monitor which inspects network traffic looking for suspicious activity. The Bro framework provides an extensible scripting language that allows an analysis
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationBerkley Packet Filters and Open Source Tools. a tranched approach to packet capture analysis at today s network speeds
Berkley Packet Filters and Open Source Tools a tranched approach to packet capture analysis at today s network speeds 1 Agenda Packet Capture overview Bro description Security Onion description The problem
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More information100G Network Monitoring with Bro and Time Machine
UNIVERSITY OF CALIFORNIA 100G Network Monitoring with Bro and Time Machine Vincent Stoffer Cyber Security Engineer CENIC Conference March 11th, 2015 Irvine, CA Agenda Intro / overview 100G monitoring challenges
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationUSE HONEYPOTS TO KNOW YOUR ENEMIES
USE HONEYPOTS TO KNOW YOUR ENEMIES SHERIF MOUSA (EG-CERT) 9 MAY 2012 WHAT ARE WE GOING TO TALK ABOUT? What exactly happens on the end of your Internet connection. Open Source tools to set up your own Honeypot
More informationFrom traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik
From traditional to alternative approach to storage and analysis of flow data Petr Velan, Martin Zadnik Introduction Network flow monitoring Visibility of network traffic Flow analysis and storage enables
More informationNetwork forensics 101 Network monitoring with Netflow, nfsen + nfdump
Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow
More informationThe Bro Network Intrusion Detection System
The Bro Network Intrusion Detection System Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org The Bro NIDS - Outline
More informationNETWORK SECURITY WITH OPENSOURCE FIREWALL
NETWORK SECURITY WITH OPENSOURCE FIREWALL Vivek Kathayat,Dr Laxmi Ahuja AIIT Amity University,Noida vivekkathayat@gmail.com lahuja@amity.edu ATTACKER SYSTEM: Backtrack 5r3( 192.168.75.10 ) HOST: Backtrack
More informationFlow-based detection of RDP brute-force attacks
Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer
More informationNetwork Monitoring using MMT:
Network Monitoring using MMT: An application based on the User-Agent field in HTTP headers Vinh Hoa LA Ɨ Raul FUENTES Ɨ PhD Student Prof. Ana CAVALLI Ɨ Ƭ Supervisor Ɨ Telecom SudParis, IMT Ƭ Montimage
More informationNetwork Security 2. Module 2 Configure Network Intrusion Detection and Prevention
1 1 Network Security 2 Module 2 Configure Network Intrusion Detection and Prevention 2 Learning Objectives 2.1 Cisco IOS Intrusion Prevention System 2.2 Configure Attack Guards on the PIX Security Appliance
More informationSix Days in the Network Security Trenches at SC14. A Cray Graph Analytics Case Study
Six Days in the Network Security Trenches at SC14 A Cray Graph Analytics Case Study WP-NetworkSecurity-0315 www.cray.com Table of Contents Introduction... 3 Analytics Mission and Source Data... 3 Analytics
More informationNext Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?
Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6? - and many other vital questions to ask your firewall vendor Zlata Trhulj Agilent Technologies zlata_trhulj@agilent.com
More informationAttacking the TCP Reassembly Plane of Network Forensics Tools
Attacking the TCP Reassembly Plane of Network Forensics Tools Gérard 12 Thomas Engel 1 1 University of Luxembourg - SECAN LAB 2 SES ASTRA Outline Introduction Definitions and terminology A PCAP file contains
More informationAdvanced Administration for Citrix NetScaler 9.0 Platinum Edition
Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced
More informationNetworks & Security Course. Web of Trust and Network Forensics
Networks & Security Course Web of Trust and Network Forensics Virtual Machine Virtual Machine Internet connection You need to connect the VM to the Internet for some of the Web of Trust exercises. Make
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationAnnouncements. Lab 2 now on web site
Lab 2 now on web site Announcements Next week my office hours moved to Monday 4:3pm This week office hours Wednesday 4:3pm as usual Weighting of papers for final discussion [discussion of listen] Bro:
More informationBEGINNER S GUIDE to. Open Source Intrusion Detection Tools. www.alienvault.com
BEGINNER S GUIDE to Open Source Intrusion Detection Tools www.alienvault.com IDS Basics If you aren t already running network IDS, you should be. There are two types of Network IDS: Signature Detection
More informationCS 188/219. Scalable Internet Services Andrew Mutz October 8, 2015
CS 188/219 Scalable Internet Services Andrew Mutz October 8, 2015 For Today About PTEs Empty spots were given out If more spots open up, I will issue more PTEs You must have a group by today. More detail
More informationWhat is a Bro log? Justin Azoff. Aug 26, 2014
What is a Bro log? Justin Azoff Aug 26, 2014 What is a Bro log? A Bro log is a stream of high level entries that correspond to network events. A file downloaded via HTTP An email sent using SMTP A login
More informationDetecting Attacks. Signature-based Intrusion Detection. Signature-based Detection. Signature-based Detection. Problems
Detecting Attacks Signature-based Intrusion Detection Boriana Ditcheva and Lisa Fowler University of North Carolina at Chapel Hill February 16 & 22, 2005 Anomaly-based Detection Signature-based (Misuse)
More informationcinderella: A Prototype For A Specification-Based NIDS
cinderella: A Prototype For A Specification-Based NIDS Andreas Krennmair krennmair@acm.org August 8, 2003 Abstract What is actually network intrusion detection? How does it work? What are the most common
More informationhttps://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
More informationCover. White Paper. (nchronos 4.1)
Cover White Paper (nchronos 4.1) Copyright Copyright 2013 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationData Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment
White Paper Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment Cisco Connected Analytics for Network Deployment (CAND) is Cisco hosted, subscription-based
More informationThe Bro Network Security Monitor
The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Outline 1. The Bro Difference 2. Abstract
More informationNetwork Traffic Analysis
2013 Network Traffic Analysis Gerben Kleijn and Terence Nicholls 6/21/2013 Contents Introduction... 3 Lab 1 - Installing the Operating System (OS)... 3 Lab 2 Working with TCPDump... 4 Lab 3 - Installing
More informationManaging Latency in IPS Networks
Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended
More informationConfiguring Health Monitoring
CHAPTER4 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features that are described in this chapter apply to both IPv6 and IPv4 unless
More informationLog Management with Open-Source Tools. Risto Vaarandi SEB Estonia
Log Management with Open-Source Tools Risto Vaarandi SEB Estonia Outline Why use open source tools for log management? Widely used logging protocols and recently introduced new standards Open-source syslog
More informationNetwork Forensics Network Traffic Analysis
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationPassive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm, Network IDS devices use passive network monitoring extensively to detect possible threats. Through passive
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More informationUnderstanding Slow Start
Chapter 1 Load Balancing 57 Understanding Slow Start When you configure a NetScaler to use a metric-based LB method such as Least Connections, Least Response Time, Least Bandwidth, Least Packets, or Custom
More informationConfiguring Snort as a Firewall on Windows 7 Environment
Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National university of Malaysia UKM, Selengor, Malaysia. b Tafila Technical University, Electrical
More informationWeb Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.
Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall. 5401 Butler Street, Suite 200 Pittsburgh, PA 15201 +1 (412) 408 3167 www.metronomelabs.com
More informationConfiguring Snort as a Firewall on Windows 7 Environment
Journal of Ubiquitous Systems & Pervasive Networks Volume 3, No. 2 (2011) pp. 3- Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National University
More informationHost Discovery with nmap
Host Discovery with nmap By: Mark Wolfgang moonpie@moonpie.org November 2002 Table of Contents Host Discovery with nmap... 1 1. Introduction... 3 1.1 What is Host Discovery?... 4 2. Exploring nmap s Default
More informationBinonymizer A Two-Way Web-Browsing Anonymizer
Binonymizer A Two-Way Web-Browsing Anonymizer Tim Wellhausen Gerrit Imsieke (Tim.Wellhausen, Gerrit.Imsieke)@GfM-AG.de 12 August 1999 Abstract This paper presents a method that enables Web users to surf
More informationAbout Cisco PIX Firewalls
About Cisco PIX Firewalls The PIX firewall requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the firewall operating system allows various methods
More informationZMap. Fast Internet-Wide Scanning and its Security Applications. Zakir Durumeric Eric Wustrow J. Alex Halderman. University of Michigan
ZMap Fast Internet-Wide Scanning and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan Internet-Wide Network Studies Previous research has shown promise of
More informationConfiguration Guide. Websense Web Security Solutions Version 7.8.1
Websense Web Security Solutions Version 7.8.1 To help you make the transition to Websense Web Security or Web Security Gateway, this guide covers the basic steps involved in setting up your new solution
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationConfiguring Security for FTP Traffic
2 Configuring Security for FTP Traffic Securing FTP traffic Creating a security profile for FTP traffic Configuring a local traffic FTP profile Assigning an FTP security profile to a local traffic FTP
More informationFortiWeb 5.0, Web Application Firewall Course #251
FortiWeb 5.0, Web Application Firewall Course #251 Course Overview Through this 1-day instructor-led classroom or online virtual training, participants learn the basic configuration and administration
More informationZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy
ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy OVERVIEW The global communication and the continuous growth of services provided through the Internet or local infrastructure require to
More informationWeb Application Firewall
Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationWeb Traffic Capture. 5401 Butler Street, Suite 200 Pittsburgh, PA 15201 +1 (412) 408 3167 www.metronomelabs.com
Web Traffic Capture Capture your web traffic, filtered and transformed, ready for your applications without web logs or page tags and keep all your data inside your firewall. 5401 Butler Street, Suite
More informationExtraHop and AppDynamics Deployment Guide
ExtraHop and AppDynamics Deployment Guide This guide describes how to use ExtraHop and AppDynamics to provide real-time, per-user transaction tracing across the entire application delivery chain. ExtraHop
More informationHow To Test The Bandwidth Meter For Hyperv On Windows V2.4.2.2 (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2
BANDWIDTH METER FOR HYPER-V NEW FEATURES OF 2.0 The Bandwidth Meter is an active application now, not just a passive observer. It can send email notifications if some bandwidth threshold reached, run scripts
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationStructured Threats 21 External Threats 22 Internal Threats 22 Network Attacks 22 Reconnaissance Attacks 22 Access Attacks 23 Data Retrieval 23 System
xii Contents Structured Threats 21 External Threats 22 Internal Threats 22 Network Attacks 22 Reconnaissance Attacks 22 Access Attacks 23 Data Retrieval 23 System Access 24 Privilege Escalation 24 DoS
More informationYou Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell
You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell Mandiant, a FireEye company [2014 SANS European ICS Summit] About me Currently: Principal Consultant on Mandiant s Industrial
More informationDDoS Protecion Total AnnihilationD. DDoS Mitigation Lab
DDoS Protecion Total AnnihilationD A Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building
More informationMonitoring applications to increase security in 40G and 100G networks
Monitoring applications to increase security in 40G and 100G networks Cyber Security and Today s Communication Technologies TPEB workshop, 30.1.2014 Petr Kastovsky kastovsky@invea.com Company Introduction
More informationVESZPROG ANTI-MALWARE TEST BATTERY
VESZPROG ANTI-MALWARE TEST BATTERY 2012 The number of threats increased in large measure in the last few years. A set of unique anti-malware testing procedures have been developed under the aegis of CheckVir
More informationLinux VPS with cpanel. Getting Started Guide
Linux VPS with cpanel Getting Started Guide First Edition October 2010 Table of Contents Introduction...1 cpanel Documentation...1 Accessing your Server...2 cpanel Users...2 WHM Interface...3 cpanel Interface...3
More informationNetwork Monitoring Tool to Identify Malware Infected Computers
Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas
More informationRule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose
More informationIDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for
Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts
More informationAnalyzing the Different Attributes of Web Log Files To Have An Effective Web Mining
Analyzing the Different Attributes of Web Log Files To Have An Effective Web Mining Jaswinder Kaur #1, Dr. Kanwal Garg #2 #1 Ph.D. Scholar, Department of Computer Science & Applications Kurukshetra University,
More informationMissing the Obvious: Network Security Monitoring for ICS
Missing the Obvious: Network Security Monitoring for ICS If ICS are so vulnerable, why haven t we seen more attacks? We aren t looking! Two Key Reasons Intent Visibility Intent Why are targeted attacks
More informationDOSarrest Security Services (DSS) Version 4.0
DOSarrest Security Services (DSS) Version 4.0 DOSarrest DSS User Guide The DSS is the main customer portal where customers can view and manipulate traffic statistics from a wide variety of variables that
More informationU06 IT Infrastructure Policy
Dartmoor National Park Authority U06 IT Infrastructure Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement
More informationnfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH
18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH Some operational questions, popping up now and then: Do you see this peek on port 445 as well? What caused this peek on your
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationApplication DDoS Mitigation
Application DDoS Mitigation Revision A 2014, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Volumetric vs. Application Denial of Service Attacks... 3 Volumetric DoS Mitigation...
More informationSecuring and Monitoring BYOD Networks using NetFlow
Securing and Monitoring BYOD Networks using NetFlow How NetFlow can help with Security Analysis, Application Detection and Traffic Monitoring Don Thomas Jacob Technical Marketing Engineer ManageEngine
More informationVMware vcenter Log Insight Getting Started Guide
VMware vcenter Log Insight Getting Started Guide vcenter Log Insight 1.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by
More informationIntrusion Detection Systems
Intrusion Detection Systems Intrusion Detection Systems Intrusion Detection Systems: Overview IDS Acronyms & Definition Components Recognition & Response Security Interoperability & Cooperation HIDS NIDS
More informationLog Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M
Log Management with Open-Source Tools Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M Outline Why do we need log collection and management? Why use open source tools? Widely used logging protocols and recently
More informationBasic Administration for Citrix NetScaler 9.0
Basic Administration for Citrix NetScaler 9.0 CTX-NS09 DESCRIZIONE: Overview This course covers the initial configuration and administration of Citrix NetScaler 9.0. Learners gain an understanding of NetScaler
More informationLarge-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop
Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop R. David Idol Department of Computer Science University of North Carolina at Chapel Hill david.idol@unc.edu http://www.cs.unc.edu/~mxrider
More information