170 likes | 400 Views
Flexible, High-Speed Intrusion Detection Using Bro. Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center for Internet Research International Computer Science Institute Berkeley, CA USA vern@icir.org http://www-nrg.ee.lbl.gov/bro.html.
E N D
Flexible, High-SpeedIntrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center for Internet Research International Computer Science Institute Berkeley, CA USA vern@icir.org http://www-nrg.ee.lbl.gov/bro.html
Protect Rather Than Secure • Modern science critically depends on diverse, high-performance Internet communication • Increasingly difficult given rising security threats • Alternative institutional approach: network intrusion detection • Monitor network traffic, look for attacks • Key point: tenable due to threat model at open research institutes • Few jewels • Low level of compromises is tolerable • Particularly effective when combined with dynamic blocking (reactive firewall) • Potentially keeps Default Allow viable
Bro Design Goals (1990’s) • Monitor traffic in a very high performance environment • Real-time detection and response • Separation of mechanism from policy • Ready extensibility of both mechanism and policy • Resistant to evasion
How Bro Works • Taps GigEther fiber link passively, sends up a copy of all network traffic. Network
How Bro Works Tcpdump Filter Filtered Packet Stream • Kernel filters down high-volume stream via standard libpcap packet capture library. libpcap Packet Stream Network
How Bro Works Event Control Event Stream • “Event engine” distills filtered stream into high-level, policy-neutral events reflecting underlying network activity • E.g., connection_attempt, http_reply, user_logged_in Event Engine Tcpdump Filter Filtered Packet Stream libpcap Packet Stream Network
How Bro Works Policy Script Real-time Notification Record To Disk • “Policy script” processes event stream, incorporates: • Context from past events • Site’s particular policies Policy Script Interpreter Event Control Event Stream Event Engine Tcpdump Filter Filtered Packet Stream libpcap Packet Stream Network
How Bro Works Policy Script Real-time Notification Record To Disk • “Policy script” processes event stream, incorporates: • Context from past events • Site’s particular policies • … and takes action: • Records to disk • Generates alerts via syslog, paging • Executes programs as a form of response • Sends events to other Bro’s Policy Script Interpreter Event Control Event Stream Event Engine Tcpdump Filter Filtered Packet Stream libpcap Packet Stream Network
Signature Engine • Bro also includes a signature engine for matching specific patterns in packet streams: • Conceptually simple • Easy to share • Compatible with Snort (widely used freeware IDS) • E.g., can run on Snort’s default set of 1,900+ signatures • … but of limited power; basically, a useful hack • As with other Bro analysis, signature matches generate events amenable to high-level policy script processing, rather than direct alerts
Status • Operational 24x7: LBNL (border & internal), NERSC, UC Berkeley, TUM, NCSA • Runs on commodity Unix PCs … but getting hard! • ~ 80K lines C++, 12K lines of policy scripts, 200 page user manual • Main LBNL Bro blocks 50-500 remote addresses/day, mostly for scanning • Provides extensive logs, invaluable for forensics & site traffic analysis
R&D Support • Funded variously via overhead, operations, research grants • Current research support: • NSF Strategic Technologies for the Internet • Likely DOE support soon for developing as a potential community resource ... • Pending R&D proposal to DOE for very high-speed monitoring …
R&D Support • Funded variously via overhead, operations, research grants • Current research support: • NSF Strategic Technologies for the Internet • Likely DOE support soon for developing as a potential community resource ... • Pending R&D proposal to DOE for very high-speed monitoring …
Making Bro Broadly Available • Broader documentation: setup, operational procedures, analysis techniques, FAQ • Tutorials (already have in-house) • Bug-tracking system • Test suites • Production vs. research code trees • Framework for integrating contributions • GUIs for configuration, log analysis • Framework for rapid dissemination of new scripts/policies/signatures
R&D Support • Funded variously via overhead, operations, research grants • Current research support: • NSF Strategic Technologies for the Internet • Likely DOE support soon for developing as a potential community resource ... • Pending R&D proposal to DOE for very high-speed (10-40 Gbps) monitoring …
Discussion/Questions? • http://www-nrg.ee.lbl.gov/bro.html • vern@icir.org