An Overview of the Bro Intrusion Detection System

Similar documents
Bro at 10 Gps: Current Testing and Plans

The Bro Network Intrusion Detection System

How to (passively) understand the application layer? Packet Monitoring

Firewall Firewall August, 2003

Network Forensics: Log Analysis

The Bro Network Security Monitor. Broverview

Network Defense Tools

Configuring Security for FTP Traffic

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Dynamic Rule Based Traffic Analysis in NIDS

Introduction of Intrusion Detection Systems

Intrusion Detection Systems (IDS)

The Open Source Bro IDS Overview and Recent Developments

Firewalls & Intrusion Detection

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Firewalls, IDS and IPS

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

CTS2134 Introduction to Networking. Module Network Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

PROFESSIONAL SECURITY SYSTEMS

Traffic Monitoring : Experience

Internet Security Firewalls

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Log Audit Ensuring Behavior Compliance Secoway elog System

Cisco IPS Tuning Overview

IBM. Vulnerability scanning and best practices

Chapter 11 Cloud Application Development

Firewalls. Chapter 3

Chapter 15. Firewalls, IDS and IPS

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

FIREWALL POLICY November 2006 TNS POL - 008

IDS / IPS. James E. Thiel S.W.A.T.

Network- vs. Host-based Intrusion Detection

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

The Bro Network Security Monitor. Broverview. Bro Workshop NCSA, Urbana-Champaign, IL. Bro Workshop 2011

Firewall VPN Router. Quick Installation Guide M73-APO09-380

FIREWALLS & CBAC. philip.heimer@hh.se

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Source-Connect Network Configuration Last updated May 2009

Multi-Homing Dual WAN Firewall Router

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Architecture Overview

Network Intrusion Analysis (Hands-on)

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network Instruments white paper

Edge Configuration Series Reporting Overview

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Network Security Monitoring

How To Protect Your Network From Attack From A Hacker On A University Server

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Internet Security Firewalls

Firewalls (IPTABLES)

Intrusion Detection Systems

A Bro Walk-Through. Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory

Intrusion Detection Systems

Presented by Henry Ng

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Design Principles Firewall Characteristics Types of Firewalls

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Lab Configure IOS Firewall IDS

Internet Management and Measurements Measurements

THE ROLE OF IDS & ADS IN NETWORK SECURITY

USM IT Security Council Guide for Security Event Logging. Version 1.1

Service Managed Gateway TM. How to Configure a Firewall

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Intrusion Detection System

Chapter 9 Firewalls and Intrusion Prevention Systems

Cisco PIX vs. Checkpoint Firewall

Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin

F-SECURE MESSAGING SECURITY GATEWAY

Firewalls P+S Linux Router & Firewall 2013

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

funkwerk packetalarm NG IDS/IPS Systems

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

How to set up popular firewalls to work with Web CEO

Intrusion Detection Systems

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

CSCE 465 Computer & Network Security

Transcription:

An Overview of the Bro Intrusion Detection System Brian L. Tierney, Vern Paxson, James Rothfuss Lawrence Berkeley National Laboratory Typical Approach: Firewall with default deny policy A blocking router is a type of firewall Blocks individual services (ports) inbound and possibly outbound Blocks address ranges inbound and possibly outbound Firewall (Blocking Router) Router Internet 1 1

LBNL approach: IDS with Blocking Router IDS controls a blocking router IDS blocks dynamically when an intrusion attempt is detected or alerts upon suspicious activity Router blocks statically like a firewall Intrusion Prevention Blocking Router Internet IDS LBNL Inbound (from Internet) TCP Traffic Number of TCP connection attempts per week, Jan 2000 to Aug 2004 400,000,000 350,000,000 300,000,000 250,000,000 Total traffic Scanning traffic Legitimate traffic Blaster worm released 200,000,000 150,000,000 100,000,000 50,000,000 0 1/1/2000 3/1/2000 5/1/2000 7/1/2000 9/1/2000 11/1/2000 1/1/2001 3/1/2001 5/1/2001 7/1/2001 9/1/2001 11/1/2001 1/1/2002 3/1/2002 5/1/2002 7/1/2002 9/1/2002 11/1/2002 1/1/2003 3/1/2003 5/1/2003 7/1/2003 9/1/2003 11/1/2003 1/1/2004 3/1/2004 5/1/2004 7/1/2004 2 2

LBNL Inbound (from Internet) TCP Traffic TCP connection attempts, scanning vs. legitimate as percent of total - Jan 2000 to Aug 2004 100% 90% 80% Legitimate traffic 70% 60% 50% 40% 30% 20% 10% Scanning traffic 0% 1/1/2000 3/1/2000 5/1/2000 7/1/2000 9/1/2000 11/1/2000 1/1/2001 3/1/2001 5/1/2001 7/1/2001 9/1/2001 11/1/2001 1/1/2002 3/1/2002 5/1/2002 7/1/2002 9/1/2002 11/1/2002 1/1/2003 3/1/2003 5/1/2003 7/1/2003 9/1/2003 11/1/2003 1/1/2004 3/1/2004 5/1/2004 7/1/2004 Bro s Use at LBL Operational 24 7 since 1996 Monitors traffic for suspicious behavior or policy violations: incoming/outgoing/internal In conjunction with blocking routers, Bro acts as a dynamic and intelligent firewall Blocks access from offending IP addresses Blocks high risk ports Blocks known high-risk activity Terminates connections and/or sends alarms Very high performance: GigEther Award winning research 3 3

Bro Goals & Requirements (1995) Ability to monitor traffic in a very high performance environment Real-time detection and response Separation of mechanism from policy Ready extensibility of both mechanism and policy Resistant to evasion How Bro Works Taps GigEther fiber link passively, sends up a copy of all network traffic. 4 4

How Bro Works Tcpdump Filter libpcap Filtered Packet Kernel filters down high-volume stream via standard libpcap packet capture library. Packet How Bro Works Event Control Event Engine Tcpdump Filter libpcap Event Filtered Packet Packet Event engine distills filtered stream into high-level, policy-neutral events reflecting underlying network activity E.g. Connection-level: connection attempt connection finished E.g. Application-level: ftp request http_reply E.g. Activity-level: login success 5 5

How Bro Works Policy Script Policy Script Interpreter Event Control Event Engine Real-time Notification Record To Disk Event Policy script processes event stream, incorporates: Context from past events Site s particular policies Tcpdump Filter Filtered Packet libpcap Packet How Bro Works Policy Script Policy Script Interpreter Event Control Event Engine Tcpdump Filter libpcap Real-time Notification Record To Disk Event Filtered Packet Policy script processes event stream, incorporates: Context from past events Site s particular policies and takes action: Records to disk Generates alerts via syslog, paging, etc. Executes programs as a form of response Packet 6 6

Signature Engine Bro also includes a signature engine for matching specific patterns in packet streams: Conceptually simple Easy to share Compatible with Snort (widely used freeware IDS) E.g., can run on Snort s default set of 2,500+ signatures As with other Bro analysis, signature matches generate events amenable to high-level policy script processing, rather than direct alerts Examples of Bro s Contextual Signatures ( Rules ) HTTP server attack Snort signature: simple pattern matching on MS ISS attack Bro rule: additional check to see if, e.g., host is running Apache ignore alarm Error code checking Snort signature: no checking of reply Bro rule: Looks at return code for HTTP/FTP/SMTP, signature match + error code = no alert Multi-stage attacks Easy in Bro to express signature A but only if followed by signature B or A unless followed by B Easy to express generate alarms if given host triggers N or more signatures or triggers against N or more local hosts Greatly reduces number of false positives! 7 7

Bro as a Tool for Analysis/Forensics Bro supports extensive long-term logging We have a record of every TCP connection in/out of LBNL going back to 1994 Time, size, duration, who, protocol, status Plus specifics of apps analyzed by Bro: Usernames, filenames, URLs Invaluable for forensic analysis Also invaluable for trending, retrospective analysis, longitudinal studies Example: Bro dropping an IP source address ISS Server attack: Nov 5 00:04:07 140.138.148.222/2142 > cindy/http %63654: attack URI GET /scripts/..%5c..%5cwinnt/system32/cmd.exe? /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe, dropping Policy: Drop this host: Nov 5 00:04:07 AddressDropped dropping address 140.138.148.222 (attack URI /scripts/..%5c..%5cwinnt /system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\s cript.exe) 8 8

WU-FTP buffer overflow attack Alarm: Jan 21 01:31:56 ssl.hawera.de/1540 > obsidian/ftp #18 excessive filename: 00000000000000000000000000000000..[495].. Details from FTP log file: Feb 21 00:53:15 #4733 clydesdale.cacc.ncsu.edu/2564 > obsidian.lbl.gov/ftp start Feb 21 00:53:15 #4733 response (220 obsidian.lbl.gov FTP server (Version wu-2.6.1(1) Sat Jan 24 01:43:53 GMT 2001) ready.) Feb 21 00:53:16 #4733 USER ftp/mozilla@ (logged in) Feb 21 00:53:16 #4733 RNFR././ (350 File exists, ready for destination name) Feb 21 00:53:22 #4733 PWD (done) Feb 21 00:53:22 #4733 CWD 00000000000000000000000000000000..[495].. (unavail) Feb 21 00:53:22 #4733 CWD ~/{.,.,.,.} (ok) Sample Bro Alarms Nov 16 03:31:23 AddressDropped low port trolling a213-22-132-227.netcabo.pt 258/tcp Nov 16 06:25:23 SensitivePortmapperAccess rpc: cs4/917 > guacamole.cchem.berkeley.edu/portmap pm_dump: (done) Nov 16 06:30:49 AddressScan 66.243.211.244 has scanned 10000 hosts (445/tcp) Nov 16 06:30:50 SensitiveConnection hot: neutrino 200b > 147.8.137.149/telnet 463b 14.2s "root" Nov 16 06:30:50 OutboundTFTP outbound TFTP: sip000d28083467.dhcp -> inoc-dba.pch.net Nov 16 06:30:52 SensitiveConnection hot: 198.128.27.21 560b > 208.254.3.160/https 4202b 0.5s <IRC source sites> Nov 16 06:30:53 WormPhoneHome worm phone-home signature mcr-88-4 -> 218.146.108.51/9900 Nov 16 06:30:56 FTP_Sensitive ftp: fun.ee/3766 > soling.cs.vu.nl/ftp #1537 RETR nfsshell.tar.gz (complete) Nov 16 06:32:38 HTTP_SensitiveURI scan1/34462 > 198.128.27.212/http %988: GET /admin/file_manager.php?action= download& filename=./../../../../../../etc/passwd <no reply> 9 9

Related Research Bro serves as platform for Developing new methods of analyzing high-level network activity Detecting scans, "stepping stones, "backdoors Independent state Sharing context between Bro s across time & space Efficient hardware to support intrusion detection Investigating defenses against evasion Hardware assist - Shunting Operation at LBNL produces ongoing bonanza of intrusion detection research data Rich, challenging environment 10 10

New Project: Shunting External Control & Analysis Traffic Filter Router / FPGA GigE Interface Bro Internal Bro vs. Bro-Lite Bro and Bro-Lite are the exact same set of software All Bro-Lite work is going into the main Bro distribution Bro-Lite refers to a specific default policy configuration Bro-Lite is a project name 11 11

Bro is a part of a Overall Cyber Security Strategy Incident Response Awareness & Training Scanning Virus Protection Bro Firewall For more Information New Web site: http://www.bro-ids.org/ Bro-Lite alpha release now available http://www.bro-ids.org/alpha/ Bro-Lite beta release coming soon Send email to bro@bro-ids.org 12 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information