250 likes | 478 Views
The Bro Intrusion Detection. Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ. Bro. High performance intrusion detection system developed at LBNL and ACRI Vern Paxson primary developer Based on operational experience with high performance networks
E N D
The Bro Intrusion Detection Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ
Bro • High performance intrusion detection system developed at LBNL and ACRI • Vern Paxson primary developer • Based on operational experience with high performance networks • Grew out of tools developed to optimize and analyze network traffic • Bro Development Goals • High speed network monitoring • Low packet loss rate • Mechanism separate from policy SC2003, Phoenix, AZ
Bro State Model • Bro maintains and analyzes state • Keeps track of all network connections • Reacts to network behavior patterns • Signature based systems • i.e. Snort, RealSecure • Matches patterns seen in network streams SC2003, Phoenix, AZ
Bro Structure • Packet capture and filter • Built on libpcap • Event Engine • Evaluates packets • Maintains state of the network connections • Generates events • Policy Script Interpreter • Executes scripts written in ‘policy language’ SC2003, Phoenix, AZ
Bro Structure Real Time Notification / Record to Disk Policy Script Policy Script Interpreter Event Stream Event Control Event Engine tcpdump filter Filtered Packet Stream libpcap Packet Stream Network SC2003, Phoenix, AZ
Bro Structure • Real time processing • Analysis of real time traffic • Reaction to any significant events • Traffic filtered to only ‘interesting’ traffic • Offline processing • Bro capable of archiving network traffic • Allows for more detailed analysis • Less traffic is filtered SC2003, Phoenix, AZ
Real Time Processing • Works in conjunction with border router to drop (shun) hosts at the border • Capable of injecting RST packets into stream • Code Red Worm instances • SSH vulnerability exploits • Establishes real time alerts based on policy SC2003, Phoenix, AZ
Offline Processing • Detects stepping stones • Compromised system used as a gateway • Detects “backdoors” • i.e. telnet servers on non-standard port • Detects file sharing systems • Gnutella, Napster, KaZaa Network DMZ External Attacker Compromised Internal System External Victim Bro SC2003, Phoenix, AZ
Bro in Practical Use • Primary IDS for LBNL/NERSC since 1996 • Primary IDS for SC00-03 conferences • No specialized hardware needed • Low cost allows for multiple deployment • Requirements • FreeBSD • Intel platform • Fiber tap • Disk space to archive data SC2003, Phoenix, AZ
Perimeter • Bro / Snort • Traffic Filtering • Virus Wall • Host Filtering Defense in Depth • Host Level • Anti Virus Software • Active Scanning • Unused services • disabled • Process Accounting • Encrypted Passwords • Users / staff • Staff Security Team • Usage Agreements • Periodic training • Emails on key issues • Internal Network • Network Isolation • Firewalls • Subnet traffic • filtering SC2003, Phoenix, AZ
Use of Bro Within NERSC ESNet Multiple Bro Systems • Real Time Analysis • Redundant Backup • Test Box • Bulk Traffic Recorder Tapped Traffic Network Traffic Filtering Border Router ACL Insertion Multiple IDS • Snort • Bro Heavyweight Protocol Analysis • Bro GRID / SSL Analysis Tapped Traffic Tapped Traffic • Internal Traffic Bro Monitor • Wireless Network Bro Monitor NERSC Wireless Network SC2003, Phoenix, AZ
Bro at NERSC • 24/7 monitoring • Tied into a paging system for on-call security person • Bro checkpointed at set intervals • Clears out ‘orphaned’ sessions • Allows for offline data analysis • Data archiving • Maintain traffic data for about 3 months • Anything beyond that is ‘subpoena bait’ • Maintain network connection data forever SC2003, Phoenix, AZ
NERSC Network Traffic3 Week Period SC2003, Phoenix, AZ
Total NERSC Connections SC2003, Phoenix, AZ
Valid NERSC Connections SC2003, Phoenix, AZ
Practical Bro • Automatic ACL injection has very low false positive rate • At NERSC average about 1 every 6 months • Reports generated whenever checkpointed • Results from blocks and odd events • Results from offline analyzer • Backdoors and KaZaa traffic • Takes some time to “learn the traffic” SC2003, Phoenix, AZ
What Do We See • Usual stuff • Lots and lots and lots and lots of scans • Slow scans, flash scans, nmap, nessus, ISS • Many worms and viruses • Code Red, Nimda, etc... • Lots of backscatter • Fun stuff and stuff we really shouldn’t see • Broken TCP stacks • Private network traffic (192.168.0.0, etc) • Broken NATs • Odd user behaviour • Odd OS/application behaviour SC2003, Phoenix, AZ
Bro at SC03 • Bro primary IDS for SC conference since SC00 • Used to monitor SCinet traffic • Maximum observed bandwidth • 16.8Gbps at SC2002 (Bandwidth Challenge) • Used router hardware BPF • Passive monitoring only • Automatic countermeasures disabled SC2003, Phoenix, AZ
Bro at SC03 • IDS for SCinet • Ensure conference network does not get taken down by attacks • Detect 0wned systems • Monitor for “odd” behavior • Educational tool for attendees • Password capture and display • Alert exhibitors to “risky behavior” • i.e. .rhosts with root enabled SC2003, Phoenix, AZ
SCinet Bro Infrastructure SC2003, Phoenix, AZ
Bro Future Directions • Grid related technologies • Ability to detect Grid related protocols • X.509 Certificate Analyzer • SSL Analyzer • Verify certificates are legitimate • Router Shunting • Primary bottleneck in moving packets into user space • Leverage router based hardware filtering to analyze “packets of interest” • Proof of concept demo at SC01-03 • Utilizing Bro and Juniper router • Hardware based BPF to filter traffic SC2003, Phoenix, AZ
Port Mirroring External Network Mirrored Traffic Juniper GigE Interface Bro Internal Network SC2003, Phoenix, AZ
Filter-based Forwarding External Network Filtered Traffic Bro GigE Interface Filter Juniper Internal Network SC2003, Phoenix, AZ
Contact Information Stephen Lau 1 Cyclotron Road, M/S 943 Berkeley, CA 94720 Phone: +1 (510) 486-7178 Email: slau@lbl.gov PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B SC2003, Phoenix, AZ