1 / 17

Flexible, High-Speed Intrusion Detection Using Bro

Flexible, High-Speed Intrusion Detection Using Bro. Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center for Internet Research International Computer Science Institute Berkeley, CA USA vern@icir.org http://www-nrg.ee.lbl.gov/bro.html.

raine
Download Presentation

Flexible, High-Speed Intrusion Detection Using Bro

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flexible, High-SpeedIntrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center for Internet Research International Computer Science Institute Berkeley, CA USA vern@icir.org http://www-nrg.ee.lbl.gov/bro.html

  2. Protect Rather Than Secure • Modern science critically depends on diverse, high-performance Internet communication • Increasingly difficult given rising security threats • Alternative institutional approach: network intrusion detection • Monitor network traffic, look for attacks • Key point: tenable due to threat model at open research institutes • Few jewels • Low level of compromises is tolerable • Particularly effective when combined with dynamic blocking (reactive firewall) • Potentially keeps Default Allow viable

  3. Bro Design Goals (1990’s) • Monitor traffic in a very high performance environment • Real-time detection and response • Separation of mechanism from policy • Ready extensibility of both mechanism and policy • Resistant to evasion

  4. How Bro Works • Taps GigEther fiber link passively, sends up a copy of all network traffic. Network

  5. How Bro Works Tcpdump Filter Filtered Packet Stream • Kernel filters down high-volume stream via standard libpcap packet capture library. libpcap Packet Stream Network

  6. How Bro Works Event Control Event Stream • “Event engine” distills filtered stream into high-level, policy-neutral events reflecting underlying network activity • E.g., connection_attempt, http_reply, user_logged_in Event Engine Tcpdump Filter Filtered Packet Stream libpcap Packet Stream Network

  7. How Bro Works Policy Script Real-time Notification Record To Disk • “Policy script” processes event stream, incorporates: • Context from past events • Site’s particular policies Policy Script Interpreter Event Control Event Stream Event Engine Tcpdump Filter Filtered Packet Stream libpcap Packet Stream Network

  8. How Bro Works Policy Script Real-time Notification Record To Disk • “Policy script” processes event stream, incorporates: • Context from past events • Site’s particular policies • … and takes action: • Records to disk • Generates alerts via syslog, paging • Executes programs as a form of response • Sends events to other Bro’s Policy Script Interpreter Event Control Event Stream Event Engine Tcpdump Filter Filtered Packet Stream libpcap Packet Stream Network

  9. Signature Engine • Bro also includes a signature engine for matching specific patterns in packet streams: • Conceptually simple • Easy to share • Compatible with Snort (widely used freeware IDS) • E.g., can run on Snort’s default set of 1,900+ signatures • … but of limited power; basically, a useful hack • As with other Bro analysis, signature matches generate events amenable to high-level policy script processing, rather than direct alerts

  10. Status • Operational 24x7: LBNL (border & internal), NERSC, UC Berkeley, TUM, NCSA • Runs on commodity Unix PCs … but getting hard! • ~ 80K lines C++, 12K lines of policy scripts, 200 page user manual • Main LBNL Bro blocks 50-500 remote addresses/day, mostly for scanning • Provides extensive logs, invaluable for forensics & site traffic analysis

  11. R&D Support • Funded variously via overhead, operations, research grants • Current research support: • NSF Strategic Technologies for the Internet • Likely DOE support soon for developing as a potential community resource ... • Pending R&D proposal to DOE for very high-speed monitoring …

  12. R&D Support • Funded variously via overhead, operations, research grants • Current research support: • NSF Strategic Technologies for the Internet • Likely DOE support soon for developing as a potential community resource ... • Pending R&D proposal to DOE for very high-speed monitoring …

  13. Making Bro Broadly Available • Broader documentation: setup, operational procedures, analysis techniques, FAQ • Tutorials (already have in-house) • Bug-tracking system • Test suites • Production vs. research code trees • Framework for integrating contributions • GUIs for configuration, log analysis • Framework for rapid dissemination of new scripts/policies/signatures

  14. R&D Support • Funded variously via overhead, operations, research grants • Current research support: • NSF Strategic Technologies for the Internet • Likely DOE support soon for developing as a potential community resource ... • Pending R&D proposal to DOE for very high-speed (10-40 Gbps) monitoring …

  15. Prefiltering (Prototyped at SC02, SC03)

  16. Shunting

  17. Discussion/Questions? • http://www-nrg.ee.lbl.gov/bro.html • vern@icir.org

More Related