broverview
play

Broverview Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro - PowerPoint PPT Presentation

The Bro Network Security Monitor Broverview Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline 2 Bro Workshop 2011 Outline Philosophy and Architecture A framework for network traffic analysis. 2 Bro Workshop 2011


  1. The Bro Network Security Monitor Broverview Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011

  2. Outline 2 Bro Workshop 2011

  3. Outline Philosophy and Architecture A framework for network traffic analysis. 2 Bro Workshop 2011

  4. Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. 2 Bro Workshop 2011

  5. Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. Architecture Components, logs, scripts, cluster. 2 Bro Workshop 2011

  6. What is Bro? 3 Bro Workshop 2011

  7. What is Bro? Packet Capture 3 Bro Workshop 2011

  8. What is Bro? Packet Capture Traffic Inspection 3 Bro Workshop 2011

  9. What is Bro? Packet Capture Traffic Inspection Attack Detection 3 Bro Workshop 2011

  10. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog 3 Bro Workshop 2011

  11. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 3 Bro Workshop 2011

  12. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 3 Bro Workshop 2011

  13. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011

  14. What is Bro? Packet Capture Traffic Inspection Attack Detection “Domain-specific Python” NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011

  15. What is Bro? Packet Capture S u m i s m o r e t h a n t h e p i e c e s Traffic Inspection Attack Detection “Domain-specific Python” NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011

  16. Philosophy 4 Bro Workshop 2011

  17. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. 4 Bro Workshop 2011

  18. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. 4 Bro Workshop 2011

  19. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. 4 Bro Workshop 2011

  20. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. 4 Bro Workshop 2011

  21. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. Supports forensics. Extensively logs what it sees. 4 Bro Workshop 2011

  22. Target Audience 5 Bro Workshop 2011

  23. Target Audience Large-scale environments. Effective also with liberal security policies. 5 Bro Workshop 2011

  24. Target Audience Large-scale environments. Effective also with liberal security policies. Network-savvy users. Requires understanding of your network. 5 Bro Workshop 2011

  25. Target Audience Large-scale environments. Effective also with liberal security policies. Network-savvy users. Requires understanding of your network. Unixy mindset. Command-line based, fully customizable. 5 Bro Workshop 2011

  26. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code 6 Bro Workshop 2011

  27. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code LBNL starts using Bro operationally 6 Bro Workshop 2011

  28. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Bro Workshop 2011

  29. Bro History Host Context Academic Time Machine Enterprise Traffic Publications TRW State Mgmt. Bro Cluster Independ. State Shunt Parallel Prototype Anonymizer BinPAC Stepping Stone Active Mapping DPD USENIX Paper Detector Context Signat. 2nd Path Autotuning 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Bro Workshop 2011

  30. Research Heritage 7 Bro Workshop 2011

  31. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. 7 Bro Workshop 2011

  32. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. 7 Bro Workshop 2011

  33. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. NSF now funding Bro development at ICSI and NCSA. Full-time engineers working 3 years on capabilities & user experience. Office of Cyberinfrastructure 7 Bro Workshop 2011

  34. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. NSF now funding Bro development at ICSI and NCSA. Full-time engineers working 3 years on capabilities & user experience. Objective is a sustainable development model. Aiming to create a larger user and development community. Office of Cyberinfrastructure 7 Bro Workshop 2011

  35. Deployment Internal Internet Network 8 Bro Workshop 2011

  36. Deployment Ta Internal Internet Network Bro 8 Bro Workshop 2011

  37. Deployment Ta Internal Internet Network Bro Runs on commodity platforms. � Standard PCs & NICs. Supports FreeBSD/Linux/OS X. 8 Bro Workshop 2011

  38. Architecture Packets Network 9 Bro Workshop 2011

  39. Architecture Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011

  40. Architecture Logs Notification Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011

  41. Architecture Logs Notification “User Interface” Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011

  42. Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 10 Bro Workshop 2011

  43. Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 10 Bro Workshop 2011

  44. Script Example: Scan Detector Task: Count failed connection attempts per source address . 11 Bro Workshop 2011

More recommend