Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing."— Presentation transcript:

1 Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing Performance

2 Overview Real-Time Analysis Pure traffic analysis Separation of mechanism and policy Policy neutral Archiving Application layer Individual packets Supports intrusion prevention

3 Structure Passive tap Copies packets Libpcap tcpdump Event Engine organization PSI Event handlers

4 Language Highly Domain-Specific Data types Traditional: bool,int,count,double,string Specific: time,interval,port,addr,hostname Aggregate: record,table Operators Very similar to C Variables: Declaration/Indexing Statements

5 Implementation C++ Single-Threaded Blocking Timers Clendar queues Regular-Expression matching Custom: performance,functionality,compilation Policy Interpretation AST and execution stack Off-Line analysis

6 Attacking the Monitor Overload All Levels net_stats_update Crash Resource consumption UNIX alarm, self-check and tcpdump Subterfuge Difficult to perform and defend Extract tcp payload

7 Applications Finger record,check user,check buffer FTP Track unique sessions/state,port/multi-tcp,bounce Portmapper Detect RPC access Ident Check ports, check user ID, record Telnet/Rlogin Bifurcation,embedded occurrences,session contents Scan Detection: Policy script

8 Performance Buffers Tested with ~730 pckts/sec, peak 1,200 pckts/sec No dropped packets Abnormal legitimate behavior Private IP,TCP retransmit/acknowledgement, Urgent SYN,DF fragments, Split Routing Detectable w/ warning Distributed communicating Bros

Download ppt "Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Practical Network Security: Experiences with ntop Luca Deri Stefano Suin.

Practical Network Security: Experiences with ntop Luca Deri Stefano Suin.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Similar presentations

Ads by Google