The Bro Network Intrusion Detection System

Similar documents
The Open Source Bro IDS Overview and Recent Developments

Monitoring Network Security with the Open-Source Bro NIDS

High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab

The Bro Network Security Monitor. Broverview

Bro at 10 Gps: Current Testing and Plans

A Bro Walk-Through. Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory

The Bro Network Intrusion Detection System

An Overview of the Bro Intrusion Detection System

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

How to (passively) understand the application layer? Packet Monitoring

The Bro Network Security Monitor. Broverview. Bro Workshop NCSA, Urbana-Champaign, IL. Bro Workshop 2011

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Firewall Firewall August, 2003

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

TCP/IP Networking An Example

Firewalls. Chapter 3

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Configuring Health Monitoring

Introduction of Intrusion Detection Systems

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

VMware vcenter Log Insight Getting Started Guide

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Network Monitoring Tool to Identify Malware Infected Computers

Firewalls. Network Security. Firewalls Defined. Firewalls

INTRODUCTION TO FIREWALL SECURITY

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Detecting Attacks. Signature-based Intrusion Detection. Signature-based Detection. Signature-based Detection. Problems

VERITAS Cluster Server Traffic Director Option. Product Overview

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Intrusion Detection System

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Classification of Firewalls and Proxies

Network Traffic Analysis

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Intrusion Detection Systems (IDS)

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Data Communication I

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

IBM. Vulnerability scanning and best practices

VMware vcenter Log Insight Security Guide

Multi-Homing Dual WAN Firewall Router

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

PROFESSIONAL SECURITY SYSTEMS

Websense Web Security Gateway: What to do when a Web site does not load as expected

CTS2134 Introduction to Networking. Module Network Security

Course Title: Penetration Testing: Security Analysis

Network Intrusion Detection Systems. Beyond packet filtering

Network Forensics: Log Analysis

Introduction to Network Security Lab 1 - Wireshark

Network Security Monitoring

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Passive Vulnerability Detection

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Intrusion Detection Systems

Linux Network Security

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

EXPLORER. TFT Filter CONFIGURATION

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Architecture Overview

Wireshark. Fakrul (Pappu) Alam

CSC574 - Computer and Network Security Module: Firewalls

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Transport and Network Layer

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

CSE543 - Computer and Network Security Module: Firewalls

The Bro Monitoring Platform

Setting up pfsense as a Stateful Bridging Firewall.

Applications of Passive Message Logging and TCP Stream Reconstruction to Provide Application-Level Fault Tolerance. Sunny Gleason COM S 717

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

- Basic Router Security -

Configuring Health Monitoring

Deployment Guide AX Series with Citrix XenApp 6.5

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Cisco Secure PIX Firewall with Two Routers Configuration Example

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Network Technologies

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

Network/Internet Forensic and Intrusion Log Analysis

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

Firewalls & Intrusion Detection

Configuring a Backup Path Test Using Network Monitoring

Availability Digest. Redundant Load Balancing for High Availability July 2013

Transcription:

The Bro Network Intrusion Detection System Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org

System Philosophy Bro has been developed at ICSI & LBNL since 1996 LBNL has been using Bro operationally for >10 years It is one of the main components of the lab s network security infrastructure Bro provides a real-time network analysis framework Primary a network intrusion detection system (NIDS) However it is also used for pure traffic analysis Focus is on Application-level semantic analysis (rather than analyzing individual packets) Tracking information over time Strong separation of mechanism and policy The core of the system is policy-neutral (no notion of good or bad ) User provides local site policy 2

System Philosophy (2) Operators program their policy into the system Not really meaningful to talk about what Bro detects by default Bro is not restricted to any particular analysis model Most typical is misuse-detection style Focus is not signature matching Bro is fundamentally different from, e.g., Snort (though it can do signatures as well) Focus is not anomaly detection Though it does support such approaches (and others) in principle System thoroughly logs all activity It does not just alert, but keeps an comprehensive archive of activity Logs are invaluable for forensics 3

Target Environments Bro is specifically well-suited for scientific environments Extremely useful in networks with liberal ( default allow ) policies Supports intrusion prevention schemes High-performance on commodity hardware Runs on Unix-based systems (e.g., Linux, FreeBSD, MacOS) Open-source (BSD license) It does however require some effort to use effectively Pretty complex, script-based system Requires understanding of the network No GUI, just ASCII logs Only partially documented Lacking resources to fully polish the system Development is primarily driven by research However, our focus is operational use; we invest much time into practical issues Want to bridge gap between research and operational deployment 4

Bro Deployment Bro is typically deployed at a site s upstream link Monitors all external packets coming in or going out Deployment similar to other NIDS By default, purely passive monitoring Internet Tap Internal Network Bro 5

Architecture Packet Stream Network 6

Architecture Event Stream Event Engine ( Core ) Packet Stream Network 6

Architecture Real-time Notification Policy Script Interpreter Event Stream Event Engine ( Core ) Packet Stream Network 6

Event Model - Example Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network 7

Event Model - Example Web Client Request for /index.html Web Server Real-time Notification Policy Script Interpreter Event Stream 1.2.3.4/4321 Status OK plus data 5.6.7.8/80 Event Engine (Core) Packet Stream Network 7

Event Model - Example Web Client 1.2.3.4/4321 Request for /index.html... Status OK plus data Stream of TCP packets Web Server 5.6.7.8/80 SYN SYN ACK ACK ACK ACK FIN FIN... Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network 7

Event Model - Example Web Client 1.2.3.4/4321 Request for /index.html... Status OK plus data Stream of TCP packets Web Server 5.6.7.8/80 SYN SYN ACK ACK ACK ACK FIN FIN... Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network Event connection_established(1.2.3.4/4321 5.6.7.8/80) 7

Event Model - Example Web Client 1.2.3.4/4321 Request for /index.html... Status OK plus data Stream of TCP packets Web Server 5.6.7.8/80 SYN SYN ACK ACK ACK ACK FIN FIN... Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network Event connection_established(1.2.3.4/4321 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) 7

Event Model - Example Web Client 1.2.3.4/4321 Request for /index.html... Status OK plus data Stream of TCP packets Web Server 5.6.7.8/80 SYN SYN ACK ACK ACK ACK FIN FIN... Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network Event connection_established(1.2.3.4/4321 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) TCP stream reassembly for responder Event http_reply(1.2.3.4/4321 5.6.7.8/80, OK, data) 7

Event Model - Example Web Client 1.2.3.4/4321 Request for /index.html... Status OK plus data Stream of TCP packets Web Server 5.6.7.8/80 SYN SYN ACK ACK ACK ACK FIN FIN... Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network Event connection_established(1.2.3.4/4321 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) TCP stream reassembly for responder Event http_reply(1.2.3.4/4321 5.6.7.8/80, OK, data) Event connection_finished(1.2.3.4/4321, 5.6.7.8/80) 7

Event-Engine Performs policy-neutral analysis Turns low-level activity into high-level events Examples: connection_established, http_request Events are annotated with context (e.g., IP addresses, URL) Event-engine is written in C++ for performance Performs work per packet at line rate Contains analyzers for >30 protocols, including ARP, IP, ICMP, TCP, UDP DCE-RPC, DNS, FTP, Finger, Gnutella, HTTP, IRC, Ident, NCP, NFS, NTP, NetBIOS, POP3, Portmapper, RPC, Rsh, Rlogin, SMB, SMTP, SSH, SSL, SunRPC, Telnet Analyzers generate ~300 types of events 8

Expressing Policy with Scripts Scripts define policy in terms of these events Custom, domain-specific language provides... Usual script-language types, such as tables and sets Domain-specific types, such as addresses, ports, subnets Extensive state management support, including Timers; automatic expiration; persistence Real-time communication with other Bro instances Scripts track network activity Scripts take actions Generating alerts via syslog or mail Recording activity to disk Executing external program as a form of response 9

Script Example: Matching URLs event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /etc/passwd ) NOTICE(SensitiveURL, c, path); } http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) Code simplified. See policy/http-request.bro. 10

Script Example: Tracking SSH Hosts global ssh_hosts: set[addr]; event connection_established(c: connection) { local responder = c$id$resp_h; # Resp. s address local service = c$id$resp_p; # Resp s port if ( service!= 22/tcp ) return; # Not SSH. if ( responder in ssh_hosts ) return; # We already know this one. add ssh_hosts[responder]; # Found a new host. print "New SSH host found", responder; } 11

Default Policy Scripts Large set of default policy scripts Bro ships with 20K+ lines of script code Bro s default scripts perform two main tasks Detecting malicious activity (mostly misuse-detection) Logging activity comprehensively without any actual assessment In practice, the logs are often most useful Typically we do not know in advance how the next attacks looks like But when an incident occurred, we need to understand what exactly happened Typical questions asked How did the attacker get in? What damage did he do? Did the guy access other hosts as well? How can we detect similar activity in the future? 12

Example Log: Connection Summaries One-line summaries for all TCP connections Most basic, yet also one of the most useful analyzers Time Duration Source Destination 1144876596.658302 1.206521 192.150.186.169 62.26.220.2 \ http 53052 80 tcp 874 1841 SF X Serv SrcPort DstPort Proto SrcBytes DstBytes State Local LBNL has connection logs for every connection attempt since June 94! 13

Example Log: HTTP Session 1144876588.30 start 192.150.186.169:53041 > 195.71.11.67:80 1144876588.30 GET /index.html (200 "OK" [57634] www.spiegel.de) 1144876588.30 > HOST: www.spiegel.de 1144876588.30 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS... 1144876588.30 > ACCEPT: text/xml,application/xml,application/xhtml... 1144876588.30 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] 1144876588.77 < SERVER: Apache/1.3.26 (Unix) mod_fastcgi/2.2.12 1144876588.77 < CACHE-CONTROL: max-age=120 1144876588.77 < EXPIRES: Wed, 12 Apr 2006 21:18:28 GMT [...] 1144876588.77 <= 1500 bytes: "<!-- Vignette StoryServer 5.0 Wed Apr..." 1144876588.78 <= 1500 bytes: "r "http://spiegel.ivwbox.de" r..." 1144876588.78 <= 1500 bytes: "icon.ico" type="image/ico">^m^j..." 1144876588.94 <= 1500 bytes: "erver 5.0 Mon Mar 27 15:56:55..." [...] 14

A Lot More Features... Signatures à la Snort Dynamic protocol detection & analysis Remote communication Propagating events, & state synchronization Between Bro instances, and with external programs via Broccoli (C/Perl/Python/Ruby) Interactive shell for easy configuration & maintenance New in upcoming Bro 1.5 (broctl) Cluster Operation for 10GE environments Transparent load-balancing solution; moving into production at LBL right now Router interface for automatic blocking of IPs Dedicated blocking appliance, with Broccoli interface, will be available soon Time Machine interface A high-performance packet bulk recorder for forensics & retrospective analysis 15

Upcoming: Bro Hands-On Workshop Hands-on Bro training in Berkeley, CA, Oct 13-15 Hosted by the Lawrence Berkeley National Lab Primarily targeted at site security personnel Informal mix of presentations and hands-on labs Bring your laptop! More information & registration http://www.bro-ids.org/news.html 16

Thanks for your attention! Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information