Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Bro-ids

Published byCandace Fields Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Bro-ids"— Presentation transcript:

1 Introduction to Bro-ids
Seth Hall International Computer Science Institute 2011 Educause Security Professionals Conference

2

3

4

5

6

7

8

9 Paul Baran

10

11

12

13 Data Distribution?

14 “There’s generally no detection,
and there’s almost never any response or auditing” - Bruce Schneier from “Secrets and Lies”

15

16

17

18 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby bredolab request to a .ru 8080 URI"; flow:established,to_server; content:".ru|3a|8080|0D 0A|"; fast_pattern:only; classtype:bad-unknown; sid: ; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Possible Reverse Web Shell (Microsoft Internet Explorer 6.0)"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer 6.0"; http_header; classtype:trojan-activity; sid: ; rev:2;)

19

20

21 Bro-IDS

22 Domain specific programming language!
Event driven programming model Built in protocol parsing Low level context free events Scalable deployment model

23 Network Traffic Protocol Parsing Scripting Language

24 This is where you will work
Network Traffic Protocol Parsing This is where you will work Scripting Language

25

26

27 TS = (Dec 4 19:02: ) ORIG_H = ORIG_P = 50193 RESP_H = RESP_P = 80 METHOD = GET HOST = ff.connextra.com REQUEST = /sportingbetUSA/selector/client?client=sportingbetUSA&placement=Score.... REFERRER = USER-AGENT = Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: CLIENT BODY SIZE = - RESPONSE BODY SIZE = 0 RESPONSE = 302 RESPONSE MESSAGE = Moved Temporarily KEYS FROM COOKIE = FrequencyCappingCookie,sportingbetUSA,CxtId

28 CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Worker
Proxy Worker Worker Worker Worker Proxy Worker Worker Worker

29 CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Worker
Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Network Traffic Worker Worker Worker

30 CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Worker
Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Network Traffic Worker State Worker Worker

31 CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Worker
Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Network Traffic Worker State Worker Worker

32 CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Worker
Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Network Traffic Worker State Worker Worker

33 CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Worker
Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Network Traffic Worker State Worker Logs & Notices Worker

34 Upcoming Better and extensible programming model Improved logs
More complete language features Fewer bugs “Out of the box” integration with Barnyard 2 Integration with external intelligence sources 2.5 more years on NSF grant!

35 Questions?

Download ppt "Introduction to Bro-ids"

Similar presentations

Connecting Windows Azure to Your Enterprise Network & Applications

Connecting Windows Azure to Your Enterprise Network & Applications
The Bro Network Security Monitor Overview and Recent Developments.

The Bro Network Security Monitor Overview and Recent Developments.
Chapter 7 LAN Operating Systems LAN Software Software Compatibility Network Operating System (NOP) Architecture NOP Functions NOP Trends.

Chapter 7 LAN Operating Systems LAN Software Software Compatibility Network Operating System (NOP) Architecture NOP Functions NOP Trends.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.

Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
World Wide Web Caching: Trends and Technology Greg Barish and Katia Obraczka USC Information Science Institute IEEE Communications Magazine, May 2000 Presented.

World Wide Web Caching: Trends and Technology Greg Barish and Katia Obraczka USC Information Science Institute IEEE Communications Magazine, May 2000 Presented.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Module 1: Introduction to Windows Clustering. Overview Defining Clustering Features Introducing Application Architecture Identifying Availability and.

Module 1: Introduction to Windows Clustering. Overview Defining Clustering Features Introducing Application Architecture Identifying Availability and.
Access Gateway Operation

Access Gateway Operation
Exchange 2000 Gordon Mangione Vice President Exchange Server Microsoft Corporation.

Exchange 2000 Gordon Mangione Vice President Exchange Server Microsoft Corporation.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.

Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
1 60-564 Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.

INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Copyright 2000 eMation SECURITY - Controlling Data Access with

Copyright 2000 eMation SECURITY - Controlling Data Access with
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google