The Bro Network Security Monitor Broverview Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011
Outline 2 Bro Workshop 2011
Outline Philosophy and Architecture A framework for network traffic analysis. 2 Bro Workshop 2011
Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. 2 Bro Workshop 2011
Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. Architecture Components, logs, scripts, cluster. 2 Bro Workshop 2011
What is Bro? 3 Bro Workshop 2011
What is Bro? Packet Capture 3 Bro Workshop 2011
What is Bro? Packet Capture Traffic Inspection 3 Bro Workshop 2011
What is Bro? Packet Capture Traffic Inspection Attack Detection 3 Bro Workshop 2011
What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog 3 Bro Workshop 2011
What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 3 Bro Workshop 2011
What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 3 Bro Workshop 2011
What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011
What is Bro? Packet Capture Traffic Inspection Attack Detection “Domain-specific Python” NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011
What is Bro? Packet Capture S u m i s m o r e t h a n t h e p i e c e s Traffic Inspection Attack Detection “Domain-specific Python” NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011
Philosophy 4 Bro Workshop 2011
Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. 4 Bro Workshop 2011
Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. 4 Bro Workshop 2011
Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. 4 Bro Workshop 2011
Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. 4 Bro Workshop 2011
Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. Supports forensics. Extensively logs what it sees. 4 Bro Workshop 2011
Target Audience 5 Bro Workshop 2011
Target Audience Large-scale environments. Effective also with liberal security policies. 5 Bro Workshop 2011
Target Audience Large-scale environments. Effective also with liberal security policies. Network-savvy users. Requires understanding of your network. 5 Bro Workshop 2011
Target Audience Large-scale environments. Effective also with liberal security policies. Network-savvy users. Requires understanding of your network. Unixy mindset. Command-line based, fully customizable. 5 Bro Workshop 2011
Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code 6 Bro Workshop 2011
Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code LBNL starts using Bro operationally 6 Bro Workshop 2011
Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Bro Workshop 2011
Bro History Host Context Academic Time Machine Enterprise Traffic Publications TRW State Mgmt. Bro Cluster Independ. State Shunt Parallel Prototype Anonymizer BinPAC Stepping Stone Active Mapping DPD USENIX Paper Detector Context Signat. 2nd Path Autotuning 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Bro Workshop 2011
Research Heritage 7 Bro Workshop 2011
Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. 7 Bro Workshop 2011
Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. 7 Bro Workshop 2011
Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. NSF now funding Bro development at ICSI and NCSA. Full-time engineers working 3 years on capabilities & user experience. Office of Cyberinfrastructure 7 Bro Workshop 2011
Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. NSF now funding Bro development at ICSI and NCSA. Full-time engineers working 3 years on capabilities & user experience. Objective is a sustainable development model. Aiming to create a larger user and development community. Office of Cyberinfrastructure 7 Bro Workshop 2011
Deployment Internal Internet Network 8 Bro Workshop 2011
Deployment Ta Internal Internet Network Bro 8 Bro Workshop 2011
Deployment Ta Internal Internet Network Bro Runs on commodity platforms. � Standard PCs & NICs. Supports FreeBSD/Linux/OS X. 8 Bro Workshop 2011
Architecture Packets Network 9 Bro Workshop 2011
Architecture Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011
Architecture Logs Notification Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011
Architecture Logs Notification “User Interface” Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011
Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 10 Bro Workshop 2011
Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 10 Bro Workshop 2011
Script Example: Scan Detector Task: Count failed connection attempts per source address . 11 Bro Workshop 2011
More recommend