The Bro Network Security Monitor. Broverview

Transcription

1 The Bro Network Security Monitor Broverview

2 Outline 2

3 Outline Philosophy and Architecture A framework for network traffic analysis. 2

4 Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. 2

5 Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. Architecture Components, logs, scripts, cluster. 2

6 What is Bro? 3

7 What is Bro? Packet Capture 3

8 What is Bro? Packet Capture Traffic Inspection 3

9 What is Bro? Packet Capture Traffic Inspection Attack Detection 3

10 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording 3

11 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

12 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

13 What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

14 What is Bro? Packet Capture Traffic Inspection Attack Detection Domain-specific Python NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

15 What is Bro? Packet Capture Sum is more than the pieces Traffic Inspection Attack Detection Domain-specific Python NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

16 Philosophy 4

17 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. 4

18 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. 4

19 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. 4

20 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. 4

21 Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. Supports forensics. Extensively logs what it sees. 4

22 Target Audience 5

23 Target Audience Network-savvy users. Requires understanding of your network. 5

24 Target Audience Network-savvy users. Requires understanding of your network. Unixy mindset. Command-line based, fully customizable. 5

25 Target Audience Network-savvy users. Requires understanding of your network. Unixy mindset. Command-line based, fully customizable. Large-scale environments. Effective also with liberal security policies. 5

26 Bro History Vern writes 1st line of code 6

27 Bro History Vern writes 1st line of code v0.2 1st CHANGES entry v0.6 RegExps Login analysis v0.7a90 Profiling State Mgmt v0.8ax/0.9ax SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning Broccoli DPD v1.5 BroControl Bro SDCI v2.0 New Scripts v2.1 IPv6 Input Framew. v2.2 (beta) File Analysis Summary Stat. LBNL starts using Bro operationally v0.4 HTTP analysis Scan detector IP fragments Linux support v0.7a175/0.8ax Signatures SMTP IPv6 support User manual v1.0 BinPAC IRC/RPC analyzers 64-bit support Sane version numbers v1.4 DHCP/BitTorrent HTTP entities NetFlow Bro Lite Deprecated v0.7a48 Consistent CHANGES 0.8a37 Communication Persistence Namespaces Log Rotation v1.3 Ctor expressions GeoIP Conn Compressor 6

28 Bro History TRW State Mgmt. Independ. State Host Context Time Machine Enterprise Traffic Bro Cluster Shunt Academic Publications USENIX Paper Stepping Stone Detector Anonymizer Active Mapping Context Signat. BinPAC DPD 2nd Path Autotuning Parallel Prototype Input Framework Vern writes 1st line of code v0.2 1st CHANGES entry v0.6 RegExps Login analysis v0.7a90 Profiling State Mgmt v0.8ax/0.9ax SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning Broccoli DPD v1.5 BroControl Bro SDCI v2.0 New Scripts v2.1 IPv6 Input Framew. v2.2 (beta) File Analysis Summary Stat. LBNL starts using Bro operationally v0.4 HTTP analysis Scan detector IP fragments Linux support v0.7a175/0.8ax Signatures SMTP IPv6 support User manual v1.0 BinPAC IRC/RPC analyzers 64-bit support Sane version numbers v1.4 DHCP/BitTorrent HTTP entities NetFlow Bro Lite Deprecated v0.7a48 Consistent CHANGES 0.8a37 Communication Persistence Namespaces Log Rotation v1.3 Ctor expressions GeoIP Conn Compressor 6

29 Who s Using It? Installations across the US Universities Research Labs Supercomputer Centers Fortune 50 Industry Examples Lawrence Berkeley National Lab Indiana University National Center for Supercomputing Applications National Center for Atmospheric Research... and many more sites Fully integrated into Security Onion Popular security-oriented Linux distribution Recent User Meetings Bro Workshop 2011 at NCSA Bro Exchange 2012 at NCAR Bro Exchange 2013 at NCSA Each attended by about operators from from organizations 7

30 Deployment Internet Internal Network 8

31 Deployment Internet Tap Internal Network Bro 8

32 Deployment Internet Tap Internal Network Bro Runs on commodity platforms.! Standard PCs & NICs. Supports FreeBSD/Linux/OS X. 8

33 Creating Visibility with Bro 9

34 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log 9

35 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http tcp http tcp http tcp http tcp http

36 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http tcp http tcp http tcp http tcp http > cat http.log 9

37 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http tcp http tcp http tcp http tcp http > cat http.log #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] docs.python.org /lib/lib.css 200 Mozilla/ docs.python.org /icons/previous.png 304 Mozilla/ docs.python.org /lib/lib.html 200 Mozilla/ docs.python.org /icons/up.png 304 Mozilla/ docs.python.org /icons/next.png 304 Mozilla/ docs.python.org /icons/contents.png 304 Mozilla/ docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /icons/index.png 304 Mozilla/ / 200 Mozilla/5.0 9

38 Creating Visibility with Bro > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration tcp http tcp http tcp http [...] host uri status_code 80 tcp user_agent http [...] docs.python.org /lib/lib.css tcp Mozilla/5.0 http tcp http docs.python.org /icons/previous.png tcp Mozilla/5.0 http docs.python.org /lib/lib.html 200 Mozilla/5.0 > cat docs.python.org http.log /icons/up.png 304 Mozilla/5.0 docs.python.org /icons/next.png 304 Mozilla/5.0 #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] docs.python.org /icons/contents.png docs.python.org /lib/lib.css Mozilla/5.0 Mozilla/ docs.python.org /icons/previous.png 304 docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /lib/lib.html 200 Mozilla/ docs.python.org /icons/index.png docs.python.org /icons/up.png Mozilla/ docs.python.org /icons/next.png 304 Mozilla/ / docs.python.org /icons/contents.png Mozilla/5.0 Mozilla/ docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /icons/index.png 304 Mozilla/ / 200 Mozilla/5.0 9

39 Architecture Packets Network 10

40 Architecture Events Protocol Decoding Event Engine Packets Network 10

41 Architecture Logs Notification Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 10

42 Architecture Logs Notification User Interface Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 10

43 Event Model Web Client /4321 Request for /index.html Status OK plus data Web Server /80 11

44 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 11

45 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) 11

46 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) 11

47 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) 11

48 Event Model Web Client / Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server /80 Event connection_established( / /80) TCP stream reassembly for originator Event http_request( / /80, GET, /index.html ) TCP stream reassembly for responder Event http_reply( / /80, 200, OK, data) Event connection_finished( /4321, /80) 11

49 Script Example: Matching URLs Task: Report all Web requests for files called passwd. 12

50 Script Example: Matching URLs Task: Report all Web requests for files called passwd. event http_request(c: connection, # Connection. method: string, # HTTP method. original_uri: string, # Requested URL. unescaped_uri: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_uri == /.*passwd/ ) NOTICE(...); # Alarm. } 12

51 Script Example: Scan Detector Task: Count failed connection attempts per source address. Bro Workshop

52 Script Example: Scan Detector Task: Count failed connection attempts per source address. global attempts: table[addr] of count &default=0; event connection_rejected(c: connection) { local source = c$id$orig_h; # Get source address. local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NOTICE(...); # Alarm. } Bro Workshop

53 Distributed Scripts 14

54 Distributed Scripts Bro comes with >10,000 lines of script code. Prewritten functionality that s just loaded. 14

55 Distributed Scripts Bro comes with >10,000 lines of script code. Prewritten functionality that s just loaded. Scripts generate alarms and logs. Amendable to extensive customization and extension. 14

56 Bro comes with support for... The Bro Network Security Monitor 15

57 Bro comes with support for... Extract files from HTTP, SMTP, etc. Extract/monitor SSL certificates. Detect malware via Team Cymru's Malware Hash Registry. Report vulnerable software versions on the network. Detect popular web applications. Detect SSH brute-forcing. Notable external scripts: Bro module for Mandiant APT1 report Lucky 13 detector. ICSI SSL notary The Bro Network Security Monitor 15

58 Bro Ecosystem Internet Tap Internal Network Bro 16

59 Bro Ecosystem Internet Tap Internal Network Bro Control Output BroControl User Interface 16

60 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Control Output BroControl User Interface 16

61 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface 16

62 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli 16

63 Bro Ecosystem Internet Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 16

64 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output BroControl User Interface Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby (Broccoli Perl) 16

65 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 16

66 Bro Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) git://git.bro-ids.org 16

67 Bro Ecosystem Time Machine Bro Distribution bro-2.1.tar.gz Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State Other Bros Control Output bro-aux BTest BinPAC tracesummary capstats BroControl Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) git://git.bro-ids.org 16

68 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State External Bro Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17

69 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Contributed Scripts Functionality Bro Events State External Bro Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17

70 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Load- Balancer Contributed Scripts Functionality Bro Events State External Bro Control Output bro-aux BinPAC capstats BroControl Events Bro Client Communication Library Broccoli Python BTest tracesummary Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17

71 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Packets Load- Balancer Contributed Scripts Functionality Bro Bro Bro Bro Bro Events State External Bro Control Output bro-aux BTest BinPAC tracesummary capstats BroControl Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17

72 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Packets Load- Balancer Contributed Scripts Functionality Bro Bro Bro Bro Bro Events State External Bro bro-aux BTest BinPAC tracesummary capstats Control Control Output BroControl Output Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17

73 Bro Cluster Ecosystem Time Machine Internet Tap Tap Internal Network Packets Load- Balancer Frontend Contributed Scripts Functionality Bro Bro Bro Bro Bro Workers Events State External Bro bro-aux BTest BinPAC tracesummary capstats Control Control Output Manager BroControl Output Events Bro Client Communication Library Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 17