The Open Source Bro IDS Overview and Recent Developments

Similar documents
The Bro Network Intrusion Detection System

The Bro Network Security Monitor. Broverview

The Bro Network Security Monitor. Broverview. Bro Workshop NCSA, Urbana-Champaign, IL. Bro Workshop 2011

Monitoring Network Security with the Open-Source Bro NIDS

High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

A Bro Walk-Through. Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory

Bro at 10 Gps: Current Testing and Plans

The Bro Network Security Monitor

The Bro Monitoring Platform

The Bro Monitoring Platform

The Bro Network Intrusion Detection System

How to (passively) understand the application layer? Packet Monitoring

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

An Overview of the Bro Intrusion Detection System

Configuring Health Monitoring

The Bro Monitoring Platform

Understanding Slow Start

Firewall Firewall August, 2003

Flow Analysis Versus Packet Analysis. What Should You Choose?

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Traffic Analysis

Transport and Network Layer

Firewalls. Chapter 3

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Introduction. Background

VMware vcenter Log Insight Getting Started Guide

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

PROFESSIONAL SECURITY SYSTEMS

Deployment Guide AX Series with Citrix XenApp 6.5

INTRODUCTION TO FIREWALL SECURITY

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network Monitoring Tool to Identify Malware Infected Computers

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.

NetFlow/IPFIX Various Thoughts

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

TCP/IP Networking An Example

The Bro Monitoring Platform

Firewall Load Balancing

VMware vcenter Log Insight Security Guide

MFPConnect Monitoring. Monitoring with IPCheck Server Monitor. Integration Manual Version Edition 1

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Chapter 15. Firewalls, IDS and IPS

Introducing FortiDDoS. Mar, 2013

Host Discovery with nmap

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Network Technologies

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Configuring NetFlow Secure Event Logging (NSEL)

Linux Network Security

Layer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers

Websense Web Security Gateway: What to do when a Web site does not load as expected

Server Iron Hands-on Training

EXPLORER. TFT Filter CONFIGURATION

Getting Started with PRTG Network Monitor 2012 Paessler AG

Safe network analysis

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Intrusion Detection System

Cover. White Paper. (nchronos 4.1)

Network Traffic Evolution. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig

Web Application Firewall

Ranch Networks for Hosted Data Centers

Log Management with Open-Source Tools. Risto Vaarandi SEB Estonia

Data Communication I

Intrusion Detection Systems (IDS)

Log Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M

Policy Based Forwarding

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls, IDS and IPS

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

bizhub C3850/C3350 USER S GUIDE Applied Functions

Managing Latency in IPS Networks

Configuration Guide. Websense Web Security Solutions Version 7.8.1

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Configuring Health Monitoring

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

CT LANforge-FIRE VoIP Call Generator

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

Structured Threats 21 External Threats 22 Internal Threats 22 Network Attacks 22 Reconnaissance Attacks 22 Access Attacks 23 Data Retrieval 23 System

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

TOE2-IP FTP Server Demo Reference Design Manual Rev1.0 9-Jan-15

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

VMware vcenter Log Insight Getting Started Guide

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Firewall Tips & Tricks. Paul Asadoorian Network Security Engineer Brown University November 20, 2002

Web Browsing Examples. How Web Browsing and HTTP Works

Overview of TCP/IP. TCP/IP and Internet

How to protect your home/office network?

Linux: 20 Iptables Examples For New SysAdmins

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Solution of Exercise Sheet 5

Application Monitoring using SNMPc 7.0

Penetration Testing LAB Setup Guide

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Transcription:

The Open Source Bro IDS Overview and Recent Developments Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin 2011 Indiana University

Outline 2

Outline Philosophy and Architecture A framework for network traffic analysis. 2

Outline Philosophy and Architecture A framework for network traffic analysis. Usage and Deployment Logs, scripts, communication, cluster. 2

Outline Philosophy and Architecture A framework for network traffic analysis. Usage and Deployment Logs, scripts, communication, cluster. Roadmap The Bro world is moving quite rapidly. 2

What is Bro? 3

What is Bro? Packet Capture 3

What is Bro? Packet Capture Traffic Inspection 3

What is Bro? Packet Capture Traffic Inspection Attack Detection 3

What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording 3

What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording 3

What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow syslog Log Recording Flexibility Abstraction Data Structures 3

What is Bro? Packet Capture Traffic Inspection NetFlow syslog Attack Detection Domain-specific Python Log Recording Flexibility Abstraction Data Structures 3

What is Bro? Packet Capture Traffic Inspection Sum is more than the pieces NetFlow syslog Attack Detection Domain-specific Python Log Recording Flexibility Abstraction Data Structures 3

Philosophy 4

Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. 4

Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. Highly stateful Tracks extensive application-layer network state. 4

Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. Highly stateful Tracks extensive application-layer network state. Policy-neutral at the core Can accommodate a range of detection approaches. 4

Philosophy Real-time network analysis framework Primarily an IDS, but many use it for general traffic analysis. Highly stateful Tracks extensive application-layer network state. Policy-neutral at the core Can accommodate a range of detection approaches. Supports forensics Extensively logs what it sees. 4

Target Audience 5

Target Audience Scientific environments Effective with liberal security policies 5

Target Audience Scientific environments Effective with liberal security policies Network-savvy users Requires understanding of your network 5

Target Audience Scientific environments Effective with liberal security policies Network-savvy users Requires understanding of your network Unixy mindset Command-line based, fully customizable 5

Deployment Internet Internal Network 6

Deployment Internet Tap Internal Network Bro 6

Deployment Internet Tap Internal Network Bro Commodity platforms Standard PC & NICs, FreeBSD/Linux 6

Activity Logs: TCP 7

Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. 7

Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. > bro -i en0 tcp [... wait...] > cat conn.log 7

Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. > bro -i en0 tcp [... wait...] > cat conn.log Time Duration Source Destination 1144876596.658302 1.206521 192.150.186.169 62.26.220.2 \ http 53052 80 tcp 874 1841 SF X Service SPort DPort Proto SrcBytes DstBytes TCPState Local? 7

Activity Logs: TCP One-line summaries of all connections Most basic, yet often extremely helpful output. > bro -i en0 tcp [... wait...] > cat conn.log Time Duration Source Destination 1144876596.658302 1.206521 192.150.186.169 62.26.220.2 \ http 53052 80 tcp 874 1841 SF X Service SPort DPort Proto SrcBytes DstBytes TCPState Local? LBNL has connection logs for every connection attempt since June 94! 7

Activity Logs: HTTP > cat http.log [...] 1144876588.30 %2 start 192.150.186.169:53041 > 195.71.11.67:80 1144876588.30 %2 GET /index.html (200 "OK" [57634] www.spiegel.de) 1144876588.30 %2 > HOST: www.spiegel.de 1144876588.30 %2 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS... 1144876588.30 %2 > ACCEPT: text/xml,application/xml,application/xhtml... 1144876588.30 %2 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] 1144876588.77 %2 < SERVER: Apache/1.3.26 (Unix) mod_fastcgi/2.2.12 1144876588.77 %2 < CACHE-CONTROL: max-age=120 1144876588.77 %2 < EXPIRES: Wed, 12 Apr 2006 21:18:28 GMT [...] 1144876588.77 %2 <= 1500 bytes: "<!-- Vignette StoryServer 5.0 Wed Apr..." 1144876588.78 %2 <= 1500 bytes: "r "http://spiegel.ivwbox.de" r..." 1144876588.78 %2 <= 1500 bytes: "icon.ico" type="image/ico">^m^j..." 1144876588.94 %2 <= 1500 bytes: "erver 5.0 Mon Mar 27 15:56:55..." [...] 8

Activity Logs: HTTP > cat http.log [...] 1144876588.30 %2 start 192.150.186.169:53041 > 195.71.11.67:80 1144876588.30 %2 GET /index.html (200 "OK" [57634] www.spiegel.de) 1144876588.30 %2 > HOST: www.spiegel.de 1144876588.30 %2 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS... 1144876588.30 %2 > ACCEPT: text/xml,application/xml,application/xhtml... 1144876588.30 %2 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] 1144876588.77 %2 < SERVER: Apache/1.3.26 (Unix) mod_fastcgi/2.2.12 1144876588.77 %2 < CACHE-CONTROL: max-age=120 1144876588.77 %2 < EXPIRES: Wed, 12 Apr 2006 21:18:28 GMT [...] 1144876588.77 %2 <= 1500 bytes: "<!-- Vignette StoryServer 5.0 Wed Apr..." 1144876588.78 %2 <= 1500 bytes: "r "http://spiegel.ivwbox.de" r..." 1144876588.78 %2 <= 1500 bytes: "icon.ico" type="image/ico">^m^j..." 1144876588.94 %2 <= 1500 bytes: "erver 5.0 Mon Mar 27 15:56:55..." [...] Supported Protocols ARP, UDP, TCP, ICMP BitTorrent, DNS, FTP, Gnutella, HTTP, IRC, NFS, POP3, RPC, SMB, SMTP, SSH, SSL... and more 8

Architecture Packets Network 9

Architecture Events Protocol Decoding Event Engine Packets Network 9

Architecture Logs Notification Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 9

Architecture Logs Notification User Interface Analysis Logic Policy Script Interpreter Events Protocol Decoding Event Engine Packets Network 9

Event Model Web Client 1.2.3.4/4321 Request for /index.html Status OK plus data Web Server 5.6.7.8/80 10

Event Model Web Client 1.2.3.4/4321... Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server 5.6.7.8/80 10

Event Model Web Client 1.2.3.4/4321... Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server 5.6.7.8/80 Event connection_established(1.2.3.4/4321 5.6.7.8/80) 10

Event Model Web Client 1.2.3.4/4321... Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server 5.6.7.8/80 Event connection_established(1.2.3.4/4321 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) 10

Event Model Web Client 1.2.3.4/4321... Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server 5.6.7.8/80 Event connection_established(1.2.3.4/4321 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) TCP stream reassembly for responder Event http_reply(1.2.3.4/4321 5.6.7.8/80, 200, OK, data) 10

Event Model Web Client 1.2.3.4/4321... Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN... Web Server 5.6.7.8/80 Event connection_established(1.2.3.4/4321 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) TCP stream reassembly for responder Event http_reply(1.2.3.4/4321 5.6.7.8/80, 200, OK, data) Event connection_finished(1.2.3.4/4321, 5.6.7.8/80) 10

Script Example: Matching URLs Task: Report all Web requests for files called passwd. Example: http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) 11

Script Example: Matching URLs Task: Report all Web requests for files called passwd. event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, c, path); # Alarm. } (Syntax simplified.) Example: http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) 11

Script Example: Matching URLs Task: Task: Report Report all successful all Web Web requests requests for files for called files called passwd. event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, c, path); # Alarm. } (Syntax simplified.) Example: http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) 11

Script Example: Matching URLs Task: Task: Report Report all successful all Web Web requests requests for files for called files called passwd. global potentially_sensitive: table[connection] of string; event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, potentially_sensitive[c] c, path); = path; # Alarm. # Add to table. } (Syntax simplified.) Example: http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) 11

Script Example: Matching URLs Task: Task: Report Report all successful all Web Web requests requests for files for called files called passwd. global potentially_sensitive: table[connection] of string; event http_request(c: connection, method: string, path: string) { if ( method == GET && path == /.*passwd/ ) NOTICE(SensitiveURL, potentially_sensitive[c] c, path); = path; # Alarm. # Add to table. } event http_reply(c: connection, response: int, reason: string) { if ( response == OK && c in potentially_sensitive ) NOTICE(SensitiveURL, c, potentially_sensitive[c]); } (Syntax simplified.) Example: http_request(1.2.3.4/4321 5.6.7.8/80, GET, /index.html ) 11

Script Example: Scan Detector Task: Count failed connection attempts per source address. 12

Script Example: Scan Detector Task: Count failed connection attempts per source address. global attempts: table[addr] of int &default=0; event connection_rejected(c: connection) { local source = c$orig_h;! # Get source address. local n = ++attempts[source];! # Increase counter. if ( n == SOME_THRESHOLD )! # Check for threshold. NOTICE(Scanner, source);! # If so, report. } (Syntax simplified.) 12

Script Example: Tracking Services Task: Report hosts accepting an SSH connection for the first time 13

Script Example: Tracking Services Task: Report hosts accepting an SSH connection for the first time global ssh_hosts: set[addr]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder s address local service = c$id$resp_p; # Responder s port if ( service!= 22/tcp ) return; # Not SSH. if ( responder in ssh_hosts ) return; # We already know this one. } NOTICE(SSHHostFound, responder); # Alarm add ssh_hosts[responder]; # Found a new host (Syntax simplified.) 13

Distributed Scripts 14

Distributed Scripts Bro comes with >20,000 lines of script Prewritten functionality that can just be loaded 14

Distributed Scripts Bro comes with >20,000 lines of script Prewritten functionality that can just be loaded Scripts generate logs and alarms Amendable to customization and extension 14

Communication Architecture 15

Communication Architecture Bro A Logs Notifications Policy Script Interpreter Events Event Engine Packets Network 15

Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter Policy Script Interpreter Events Events Event Engine Event Engine Packets Packets Network Network 15

Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter State Operations Policy Script Interpreter Events Events Event Engine Event Engine Packets Packets Network Network 15

Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter State Operations Policy Script Interpreter Events Event Stream Events Event Engine Event Engine Packets Packets Network Network 15

Communication Architecture Bro A Bro B Logs Notifications Logs Notification Policy Script Interpreter State Operations Policy Script Interpreter Events Event Stream Events Event Engine Broccoli Event Engine Packets Network External Applications Packets Network 15

Load-Balancer Approach Bro 10Gbps Event Engine Packet Analysis Script Interpreter Detection Logic 16

External Packet Demultiplexer Load-Balancer Approach Flow Packets Bro 1 Event Engine Script Interpreter Protocol Decoding Analysis Logic 10Gbps Bro 2 Event Engine Script Interpreter Protocol Decoding Analysis Logic Bro 3 Event Engine Script Interpreter Protocol Decoding Analysis Logic 16

External Packet Demultiplexer Load-Balancer Approach Flow Packets Bro 1 Event Engine Script Interpreter Protocol Decoding Bro 2 Analysis Logic Communication 10Gbps Event Engine Script Interpreter Protocol Decoding Bro 3 Event Engine Analysis Logic Script Interpreter Communication Protocol Decoding Analysis Logic 16

External Packet Demultiplexer Load-Balancer Approach Flow Packets Bro 1 Event Engine Script Interpreter Bro Cluster Protocol Decoding Bro 2 Analysis Logic Communication 10Gbps Event Engine Script Interpreter Protocol Decoding Bro 3 Event Engine Analysis Logic Script Interpreter Communication Protocol Decoding Analysis Logic 16

Cluster Challenges 17

Cluster Challenges Communication capability required Bro has communication primitives built-in 17

Cluster Challenges Communication capability required Bro has communication primitives built-in Management of multi-machine setup is tedious Management interface transparently hides complexity (BroControl) 17

Cluster Challenges Communication capability required Bro has communication primitives built-in Management of multi-machine setup is tedious Management interface transparently hides complexity (BroControl) Demultiplexer needs to operate at line-rate A number of solutions, including a commercially available appliance 17

UC Berkeley Research Cluster 18

UC Berkeley Research Cluster 18

UC Berkeley Research Cluster 18

Roadmap 19

Research Heritage 20

Research Heritage Bro development has focused on research We were lacking resources for documentation, polishing, functionality 20

Research Heritage Bro development has focused on research We were lacking resources for documentation, polishing, functionality NSF is now funding Bro development Full-time engineers working on user experience and performance Office of Cyberinfrastructure 20

Target: Blue Waters @ NCSA 21

Target: Blue Waters @ NCSA 10 PF/s peak performance >1 PF/s sustained on applications >300,000 cores >1 Petabyte memory >10 Petabyte disk storage >0.5 Exabyte archival storage Hosted in 88,000-square-foot facility 21

Next Release 22

Next Release Bro 1.6 New build, installation, and test framework. New quick-start guide. Overhauled default policy scripts. Comprehensive script documentation. New interface for extending scripts New logging framework. Code cleanup. Lots of little things fixed. Git repositories. New web server. 22

Roadmap 23

Roadmap Medium-term Comprehensive user and reference manuals. High-performance binary logging. Integration of external intelligence sources. Improved IPv6 support. New protocols. Database interface. Community script repository. More code cleanup. More things fixed. 23

Roadmap Medium-term Comprehensive user and reference manuals. High-performance binary logging. Integration of external intelligence sources. Improved IPv6 support. New protocols. Database interface. Community script repository. More code cleanup. More things fixed. Long-Term Script compilation. Multi-threading. GUI. 23

Community 24

Community We aim to involve the community more Feedback and contributions welcome! 24

Community We aim to involve the community more Feedback and contributions welcome! We can help you getting started Get in touch and ask us! 24

Community We aim to involve the community more Feedback and contributions welcome! We can help you getting started Get in touch and ask us! Let us know if you re using Bro Operationally, experimentally, research? 24

Summary 25

Summary Philosophy and Architecture A Python for Network Traffic Analysis 25

Summary Philosophy and Architecture A Python for Network Traffic Analysis Usage and Deployment Activity logs, scripting examples, Bro Cluster 25

Summary Philosophy and Architecture A Python for Network Traffic Analysis Usage and Deployment Activity logs, scripting examples, Bro Cluster Roadmap Milestones and community 25

Get in Touch Homepage www.bro-ids.org info@bro-ids.org EMail mailman.icsi.berkeley.edu/ mailman/listinfo/bro Development git.bro-ids.org mailman.icsi.berkeley.edu/ mailman/listinfo/bro-dev 26

Get in Touch Homepage www.bro-ids.org info@bro-ids.org EMail mailman.icsi.berkeley.edu/ mailman/listinfo/bro Development git.bro-ids.org mailman.icsi.berkeley.edu/ mailman/listinfo/bro-dev Thanks for your attention! 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information