1 / 35

Introduction to Bro-ids

Introduction to Bro-ids. Seth Hall International Computer Science Institute 2011 Educause Security Professionals Conference. Paul Baran. Data Distribution?. “There’s generally no detection, and there’s almost never any response or auditing”. - Bruce Schneier from “Secrets and Lies”.

riverav
Download Presentation

Introduction to Bro-ids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction toBro-ids • Seth Hall • International Computer Science Institute • 2011 Educause Security Professionals Conference

  2. Paul Baran

  3. Data Distribution?

  4. “There’s generally no detection, and there’s almost never any response or auditing” - Bruce Schneier from “Secrets and Lies”

  5. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby bredolab request to a .ru 8080 URI"; flow:established,to_server; content:".ru|3a|8080|0D 0A|"; fast_pattern:only; classtype:bad-unknown; sid:2011354; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Possible Reverse Web Shell (Microsoft Internet Explorer 6.0)"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer 6.0"; http_header; classtype:trojan-activity; sid:2011393; rev:2;)

  6. Bro-IDS

  7. Domain specific programming language! • Event driven programming model • Built in protocol parsing • Low level context free events • Scalable deployment model

  8. Network Traffic Protocol Parsing Scripting Language

  9. Network Traffic Protocol Parsing This is where you will work Scripting Language

  10. TS = 1259971324.41856 (Dec 4 19:02:04 2009) ORIG_H = 192.168.1.105 ORIG_P = 50193 RESP_H = 198.189.255.74 RESP_P = 80 METHOD = GET HOST = ff.connextra.com REQUEST = /sportingbetUSA/selector/client?client=sportingbetUSA&placement=Score.... REFERRER = http://www.scoresandodds.com/statfeed/statfeed.php?page=nfl/injury USER-AGENT = Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9...... CLIENT BODY SIZE = - RESPONSE BODY SIZE = 0 RESPONSE = 302 RESPONSE MESSAGE = Moved Temporarily KEYS FROM COOKIE = FrequencyCappingCookie,sportingbetUSA,CxtId

  11. CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Worker Worker Worker

  12. Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Worker Network Traffic Worker Worker

  13. Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Worker Network Traffic State Worker Worker

  14. Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Worker Network Traffic State Worker Worker

  15. Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Worker Network Traffic State Worker Worker

  16. Traffic CLUSTER DEPLOYMENT Manager Frontend Load-balancer Worker Worker Proxy Worker Worker Worker Worker Proxy Worker Network Traffic State Worker Logs & Notices Worker

  17. Upcoming • Better and extensible programming model • Improved logs • More complete language features • Fewer bugs • “Out of the box” integration with Barnyard 2 • Integration with external intelligence sources • 2.5 more years on NSF grant!

  18. Questions?

More Related