1 / 24

The Bro Intrusion Detection

The Bro Intrusion Detection. Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ. Bro. High performance intrusion detection system developed at LBNL and ACRI Vern Paxson primary developer Based on operational experience with high performance networks

lydia
Download Presentation

The Bro Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Bro Intrusion Detection Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ

  2. Bro • High performance intrusion detection system developed at LBNL and ACRI • Vern Paxson primary developer • Based on operational experience with high performance networks • Grew out of tools developed to optimize and analyze network traffic • Bro Development Goals • High speed network monitoring • Low packet loss rate • Mechanism separate from policy SC2003, Phoenix, AZ

  3. Bro State Model • Bro maintains and analyzes state • Keeps track of all network connections • Reacts to network behavior patterns • Signature based systems • i.e. Snort, RealSecure • Matches patterns seen in network streams SC2003, Phoenix, AZ

  4. Bro Structure • Packet capture and filter • Built on libpcap • Event Engine • Evaluates packets • Maintains state of the network connections • Generates events • Policy Script Interpreter • Executes scripts written in ‘policy language’ SC2003, Phoenix, AZ

  5. Bro Structure Real Time Notification / Record to Disk Policy Script Policy Script Interpreter Event Stream Event Control Event Engine tcpdump filter Filtered Packet Stream libpcap Packet Stream Network SC2003, Phoenix, AZ

  6. Bro Structure • Real time processing • Analysis of real time traffic • Reaction to any significant events • Traffic filtered to only ‘interesting’ traffic • Offline processing • Bro capable of archiving network traffic • Allows for more detailed analysis • Less traffic is filtered SC2003, Phoenix, AZ

  7. Real Time Processing • Works in conjunction with border router to drop (shun) hosts at the border • Capable of injecting RST packets into stream • Code Red Worm instances • SSH vulnerability exploits • Establishes real time alerts based on policy SC2003, Phoenix, AZ

  8. Offline Processing • Detects stepping stones • Compromised system used as a gateway • Detects “backdoors” • i.e. telnet servers on non-standard port • Detects file sharing systems • Gnutella, Napster, KaZaa Network DMZ External Attacker Compromised Internal System External Victim Bro SC2003, Phoenix, AZ

  9. Bro in Practical Use • Primary IDS for LBNL/NERSC since 1996 • Primary IDS for SC00-03 conferences • No specialized hardware needed • Low cost allows for multiple deployment • Requirements • FreeBSD • Intel platform • Fiber tap • Disk space to archive data SC2003, Phoenix, AZ

  10. Perimeter • Bro / Snort • Traffic Filtering • Virus Wall • Host Filtering Defense in Depth • Host Level • Anti Virus Software • Active Scanning • Unused services • disabled • Process Accounting • Encrypted Passwords • Users / staff • Staff Security Team • Usage Agreements • Periodic training • Emails on key issues • Internal Network • Network Isolation • Firewalls • Subnet traffic • filtering SC2003, Phoenix, AZ

  11. Use of Bro Within NERSC ESNet Multiple Bro Systems • Real Time Analysis • Redundant Backup • Test Box • Bulk Traffic Recorder Tapped Traffic Network Traffic Filtering Border Router ACL Insertion Multiple IDS • Snort • Bro Heavyweight Protocol Analysis • Bro GRID / SSL Analysis Tapped Traffic Tapped Traffic • Internal Traffic Bro Monitor • Wireless Network Bro Monitor NERSC Wireless Network SC2003, Phoenix, AZ

  12. Bro at NERSC • 24/7 monitoring • Tied into a paging system for on-call security person • Bro checkpointed at set intervals • Clears out ‘orphaned’ sessions • Allows for offline data analysis • Data archiving • Maintain traffic data for about 3 months • Anything beyond that is ‘subpoena bait’ • Maintain network connection data forever SC2003, Phoenix, AZ

  13. NERSC Network Traffic3 Week Period SC2003, Phoenix, AZ

  14. Total NERSC Connections SC2003, Phoenix, AZ

  15. Valid NERSC Connections SC2003, Phoenix, AZ

  16. Practical Bro • Automatic ACL injection has very low false positive rate • At NERSC average about 1 every 6 months • Reports generated whenever checkpointed • Results from blocks and odd events • Results from offline analyzer • Backdoors and KaZaa traffic • Takes some time to “learn the traffic” SC2003, Phoenix, AZ

  17. What Do We See • Usual stuff • Lots and lots and lots and lots of scans • Slow scans, flash scans, nmap, nessus, ISS • Many worms and viruses • Code Red, Nimda, etc... • Lots of backscatter • Fun stuff and stuff we really shouldn’t see • Broken TCP stacks • Private network traffic (192.168.0.0, etc) • Broken NATs • Odd user behaviour • Odd OS/application behaviour SC2003, Phoenix, AZ

  18. Bro at SC03 • Bro primary IDS for SC conference since SC00 • Used to monitor SCinet traffic • Maximum observed bandwidth • 16.8Gbps at SC2002 (Bandwidth Challenge) • Used router hardware BPF • Passive monitoring only • Automatic countermeasures disabled SC2003, Phoenix, AZ

  19. Bro at SC03 • IDS for SCinet • Ensure conference network does not get taken down by attacks • Detect 0wned systems • Monitor for “odd” behavior • Educational tool for attendees • Password capture and display • Alert exhibitors to “risky behavior” • i.e. .rhosts with root enabled SC2003, Phoenix, AZ

  20. SCinet Bro Infrastructure SC2003, Phoenix, AZ

  21. Bro Future Directions • Grid related technologies • Ability to detect Grid related protocols • X.509 Certificate Analyzer • SSL Analyzer • Verify certificates are legitimate • Router Shunting • Primary bottleneck in moving packets into user space • Leverage router based hardware filtering to analyze “packets of interest” • Proof of concept demo at SC01-03 • Utilizing Bro and Juniper router • Hardware based BPF to filter traffic SC2003, Phoenix, AZ

  22. Port Mirroring External Network Mirrored Traffic Juniper GigE Interface Bro Internal Network SC2003, Phoenix, AZ

  23. Filter-based Forwarding External Network Filtered Traffic Bro GigE Interface Filter Juniper Internal Network SC2003, Phoenix, AZ

  24. Contact Information Stephen Lau 1 Cyclotron Road, M/S 943 Berkeley, CA 94720 Phone: +1 (510) 486-7178 Email: slau@lbl.gov PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B SC2003, Phoenix, AZ

More Related