The Bro Network Security Monitor Overview and Recent Developments.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

4.01 How Web Pages Work.

BROCADE ADX OPENSCRIPT March Derek Kang Solutions

Implementing a Highly Available Network

Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.

Host Intrusion Prevention Systems & Beyond

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

INTRUSION DETECTION SYSTEM

Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

Active Network Applications Tom Anderson University of Washington.

Forensic and Investigative Accounting

Penetration Testing Security Analysis and Advanced Tools: Snort.

Human-Computer Interface Course 5. ISPs and Internet connection.

Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.

Malware Hunter How To Guide for SecurityCenter Continuous View™

Research & Development Roadmap 1. Outline A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control.

OSIA Portal 2009 Mid-Term Presentation Nazim Öztahtaci Jiawei Chen Parvinder Gill Ye Tian Xin Guo Communication System Design 2009 Fall Mid-Term Workshop.

思科网络技术学院理事会. 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

What’s New in VRS? GUGM May 15, 2008 Presenter: Kelly P. Robinson GIL Service Georgia State University

9/15/2015© 2008 Raymond P. Jefferis IIILect Application Layer.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

OFC 200 Microsoft Solution Accelerator for Intranets Scott Fynn Microsoft Consulting Services National Practices.

Conditions and Terms of Use

Honeypot and Intrusion Detection System

Let VRS Work for You! ELUNA Conference 2008 Presenter: Kelly P. Robinson GIL Service Georgia State University

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Unit – I CLIENT / SERVER ARCHITECTURE. Unit Structure  Evolution of Client/Server Architecture  Client/Server Model  Characteristics of Client/Server.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Oracle 10g Database Administrator: Implementation and Administration Chapter 2 Tools and Architecture.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

1 MSCS 237 Overview of web technologies (A specific type of distributed systems)

ECEN “Internet Protocols and Modeling”, Spring 2012 Course Materials: Papers, Reference Texts: Bertsekas/Gallager, Stuber, Stallings, etc Class.

Integrating and Troubleshooting Citrix Access Gateway.

Open-Eye Georgios Androulidakis National Technical University of Athens.

S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.

ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.

Linux Operations and Administration

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.

COMPUTER NETWORKS Hwajung Lee. Image Source:

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.

Architecture Review 10/11/2004

Snort – IDS / IPS.

Securing the Network Perimeter with ISA 2004

Principles of Computer Security

Chapter 8: Monitoring the Network

Computer Networks Protocols

TN19-TCI: Integration and API management using TIBCO Cloud™ Integration

Presentation transcript:

The Bro Network Security Monitor Overview and Recent Developments

Outline Philosophy and Architecture - A framework for network traffic analysis History - From research to operations Architecture - Components, logs, scripts, cluster 2

Packet Capture Traffic Inspection Attack Detection Flexibility Abstraction Data Structures Flexibility Abstraction Data Structures Log Recording “Domain-specific Python” NetFlow syslog Flexibility Abstraction Data Structures Flexibility Abstraction Data Structures What is Bro? 3

Philosophy Fundamentally different from other IDS – Reset your idea of an IDS before starting to use Bro Real-time network analysis framework – Primarily an IDS, but many use it for general traffic analysis Policy-neutral at the core – Can accommodate a range of detection approaches 4

Philosophy (cont’d.) Highly stateful – Tracks extensive application-layer network state Supports forensics – Extensively logs what it sees 5

Target Audience Large-scale environments – Effective also with liberal security policies Network-savvy users – Requires understanding of your network Unixy mindset – Command-line based, fully customizable 6

Research Heritage Office of Cyberinfrastructure Much of Bro is coming out of research projects – Bridging gap between academia and operations However, that meant limited engineering resources – We were lacking resources for development, documentation, polishing 7

Research Heritage (cont’d.) NSF now funding Bro development at ICSI and NCSA – Full-time engineers working 3 years on capabilities & user experience Objective is a sustainable development model – Aiming to create a larger user and development community 8 Office of Cyberinfrastructure

Bro History USENIX Paper Stepping Stone Detector Anonymizer Active Mapping Context Signat. TRW State Mgmt. Independ. State Host Context Time Machine Enterprise Traffic 2nd Path BinPAC DPD Bro Cluster Shunt Autoconf Parallel Prototype Bro Waters Bro 2.0 v0.2 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Resource tuning Broccoli DPD v1.5 BroControl Vern writes 1st line of code v0.7a90 Profiling State Mgmt v1.4 DHCP/BitTorrent HTTP entities NetFlow Bro Lite Deprecated v1.0 BinPAC IRC/RPC analyzers 64-bit support Sane version numbers v0.4 HTTP analysis Scan detector IP fragments Linux support v0.7a175/0.8aX Signatures SMTP IPv6 support User manual v0.7a48 Consistent CHANGES v1.3 Ctor expressions GeoIP Conn Compressor 0.8a37 Communication Persistence Namespaces Log Rotation LBNL starts using Bro

Runs on commodity platforms Standard PCs & NICs Supports FreeBSD/Linux/OS X. Tap Bro Internal Network Internet Deployment 10

Network Event Engine Protocol Decoding Policy Script Interpreter Analysis Logic Logs Events Packets Notification Architecture 11

Event Model 12 Request for /index.html Status OK plus data /80 Web Server Web Client /4321 Web Client /4321 connection_established( /4321 ⇒ /80) Event TCP stream reassembly for originator http_request( /4321 ⇒ /80, “GET”, “/index.html”) Event TCP stream reassembly for responder http_reply( /4321 ⇒ /80, 200, “OK”, data) Event connection_finished( /4321, /80) Event SYN ACK FIN Stream of TCP packets

event http_request(c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } event http_request(c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } Task: Report all Web requests for files called “passwd”. Script Example: Matching URLs 13

global attempts: table[addr] of count &default=0; event connection_rejected(c: connection) { local source = c$id$orig_h; # Get source address. local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NOTICE(...); # Alarm. } global attempts: table[addr] of count &default=0; event connection_rejected(c: connection) { local source = c$id$orig_h; # Get source address. local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NOTICE(...); # Alarm. } Task: Count failed connection attempts per source address. Script Example: Scan Detector 14

Distributed Scripts Bro comes with >10,000 lines of script code – Prewritten functionality that’s just loaded Scripts generate alarms and logs – Amendable to extensive customization and extension 15

> bro -i en0 [... wait...] > cat conn.log > bro -i en0 [... wait...] > cat conn.log #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] docs.python.org /lib/lib.css 200 Mozilla/ docs.python.org /icons/previous.png 304 Mozilla/ docs.python.org /lib/lib.html 200 Mozilla/ docs.python.org /icons/up.png 304 Mozilla/ docs.python.org /icons/next.png 304 Mozilla/ docs.python.org /icons/contents.png 304 Mozilla/ docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /icons/index.png 304 Mozilla/ / 200 Mozilla/5.0 #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] docs.python.org /lib/lib.css 200 Mozilla/ docs.python.org /icons/previous.png 304 Mozilla/ docs.python.org /lib/lib.html 200 Mozilla/ docs.python.org /icons/up.png 304 Mozilla/ docs.python.org /icons/next.png 304 Mozilla/ docs.python.org /icons/contents.png 304 Mozilla/ docs.python.org /icons/modules.png 304 Mozilla/ docs.python.org /icons/index.png 304 Mozilla/ / 200 Mozilla/5.0 > cat http.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration obytes rbytes [...] tcp http tcp http tcp http tcp http tcp http tcp http tcp http #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration obytes rbytes [...] tcp http tcp http tcp http tcp http tcp http tcp http tcp http Example Logs 16

capstats Bro Ecosystem 17 Tap Bro Internal Network Internet Bro Client Communication Library Broccoli Events State BTest BinPAC capstats trace- summary bro-aux Broccoli Ruby Broccoli Python (Broccoli Perl) Contributed Scripts Functionality Time Machine Tap BroControl Control User Interface Output git://git.bro-ids.org git://git.bro-ids.org Bro Distribution bro-2.0.tar.gz Bro Distribution bro-2.0.tar.gz

18 Bro Cluster Ecosystem Events State Functionality Tap Internal Network Internet Bro Client Communication Library Broccoli BTest BinPAC capstats trace- summary bro-aux Broccoli Ruby Broccoli Python (Broccoli Perl) Contributed Scripts Time Machine Tap Bro Packets Load- Balancer BroControl Control Output User Interface “Workers” “Manager” “Frontend”

Agenda 19

“The Bro Team” 20