following the packets a walk through bro s internal
play

Following the Packets: A Walk Through Bros Internal Processing - PowerPoint PPT Presentation

Mar 24, 2024 •445 likes •896 views

Following the Packets: A Walk Through Bros Internal Processing Pipeline Robin Sommer robin@icir.org Corelight, Inc. International Computer Science Institute Lawrence Berkeley National Laboratory Outline Bros Architecture & Data

  1. Following the Packets: A Walk Through Bro’s Internal Processing Pipeline Robin Sommer robin@icir.org Corelight, Inc. International Computer Science Institute Lawrence Berkeley National Laboratory

  2. Outline Bro’s Architecture & Data Flow Components Protocol & file analysis Log writer & input readers Bro Plugins

  3. Bro Architecture Script Interpreter Events Event Engine Network Packets

  4. Bro Architecture Script Interpreter Events Event Engine Packet Source Network Packets

  5. Bro Architecture Script Interpreter Events Event Engine I/O Loop Packet Source Network Packets

  6. Bro Architecture Script Interpreter Events Event Engine Session I/O Loop Table Packet Source Network Packets

  7. Bro Architecture Script Interpreter Events Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  8. Bro Architecture Script Interpreter Events Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  9. Bro Architecture Script Interpreter Events File Analysis Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  10. Bro Architecture Script Interpreter Events File Analysis Signature Engine Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  11. Bro Architecture Script Interpreter Events Event File Queue Analysis Signature Engine Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  12. Bro Architecture Script Interpreter Events Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  13. Bro Architecture Script Event Handlers Interpreter Events Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  14. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types Events Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  15. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Log Connection Manager Session I/O Loop Table Packet Source Network Packets

  16. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Remote- Log Connection Serializer Manager Session I/O Loop Table Packet Source Network Packets

  17. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Connection Serializer Manager Session I/O Loop Table Packet Source Network Packets

  18. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Session I/O Loop Table Packet Source Network Packets

  19. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  20. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  21. Protocol & File Analysis Example: SSL Session IP

  22. Protocol & File Analysis Example: SSL Session IP TCP connection_established()

  23. Protocol & File Analysis Example: SSL Session IP TCP SSL connection_established() ssl_{client,server}_hello()

  24. Protocol & File Analysis Example: SSL Session IP TCP SSL X.509 connection_established() ssl_{client,server}_hello() x509_certificate()

  25. Protocol & File Analysis Example: SSL Session ? IP TCP SSL X.509 connection_established() ssl_{client,server}_hello() x509_certificate()

  26. Dynamic Protocol Detection IP TCP

  27. Dynamic Protocol Detection IP TCP PIA Buffer

  28. Dynamic Protocol Detection Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer

  29. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer

  30. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL

  31. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL X.509

  32. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL HTTP X.509

  33. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL HTTP X.509

  34. Protocol Analyzer API class Analyzer { virtual void Init (); virtual void Done (); virtual void DeliverPacket (int len, const u_char* data, bool orig, bool orig, uint64 seq, const IP_Hdr* ip, int caplen); virtual void DeliverStream (int len, const u_char* data, bool orig); virtual void Undelivered (uint64 seq, int len, bool orig); virtual void EndOfData (bool is_orig); virtual void FlipRoles (); } class TCP_ApplicationAnalyzer : public Analyzer { virtual void EndpointEOF (bool is_orig); virtual void ConnectionFinished (int half_finished); virtual void ConnectionReset (); };

  35. File Analyzer API class Analyzer { virtual void Init (); virtual void Done (); virtual bool DeliverChunk (const u_char* data, uint64 len, uint64 offset); virtual bool DeliverStream (const u_char* data, uint64 len); virtual bool EndOfFile (); virtual bool Undelivered (uint64 offset, uint64 len); };

  36. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  37. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  38. Writers & Readers Log Writers Input Readers ASCII ASCII Binary SQLite Raw file SQLite

  39. Log Writer API class WriterBackend { virtual bool DoInit (const WriterInfo& info, int num_fields, virtual bool DoWrite (int num_fields, const Field* const* fields, threading::Value** vals); virtual bool DoSetBuf (bool enabled); virtual bool DoFlush (double network_time); virtual bool DoRotate (const char* rotated_path, double open, double close, bool terminating); virtual bool DoFinish (double network_time); virtual bool DoHeartbeat (double network_time, double current_time); }; Each writer runs in its own thread.

Recommend

Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat

Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat

Networking Packets Terminology Example: IP Packet Size Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 September 2013 Common/Reports/packets.tex, r676

668 views • 29 slides
TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets

TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets

TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets Reordered packets Malicious packets Requirements for Reliability Error Detection Receiver Feedback Retransmission Requirements

457 views • 23 slides
The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley Daphne bholua Chimonanthus praecox Luteus Edgeworthia chrysantha grandiflora

487 views • 27 slides
the day of Question to send a message containing h Packets I want chambers am using corrupts K

the day of Question to send a message containing h Packets I want chambers am using corrupts K

CS 70 July 9,2020 the day of Question to send a message containing h Packets I want chambers am using corrupts K of the Packets The network I don't know which k Packets are corrupted we is fixed regardless of the length of the K message

538 views • 12 slides
Problem: Want to send a message with n packets. Channel: Lossy channel: loses k packets. Question:

Problem: Want to send a message with n packets. Channel: Lossy channel: loses k packets. Question:

Problem: Want to send a message with n packets. Channel: Lossy channel: loses k packets. Question: Can you send n + k packets and recover message? A degree n 1 polynomial determined by any n points! Erasure Coding Scheme: message = m 0 , m 2

314 views • 9 slides
Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES Identify ways to make an impact through Walk MS. Be equipped to demonstrate boldness and enthusiasm when asking friends and family to join you in

407 views • 29 slides
Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you are doing online This includes your passwords! Who has access to my packets? Your ISP at home UBIT on campus Tier 1 Networks

232 views • 22 slides
r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO,

r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO,

r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Apr 28 18:45:18.863 KRSK: EIGRP: Received HELLO on Serial0/0/0 nbr 10.16.0.1 *Apr 28 18:45:18.863 KRSK: AS 200,

531 views • 5 slides
Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The ISIS Walk The ISIS Walk 3 the ISIS Walk guide hyperspace package We will be introducing the ISIS Walk DVD this Fall 2010 with the option

912 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS Network operators : Block traffic in their own networks/countries Off-path attackers : Inject TCP RST packets (next week) Routing-capable adversaries

517 views • 23 slides
CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS Network operators : Block traffic in their own networks/countries Off-path attackers : Inject TCP RST packets (next week) Routing-capable adversaries

654 views • 44 slides
Internal Audit Professionals & Internal Audit Students Pizza Mingle! Managing the Internal

Internal Audit Professionals & Internal Audit Students Pizza Mingle! Managing the Internal

Internal Audit Professionals & Internal Audit Students Pizza Mingle! Managing the Internal Audit Function Sponsored by: The Austin Chapter of the Institute of Internal Auditors, Academic Relations Committee Slide 1 Managing The Internal

722 views • 12 slides
Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of

Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of

Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of walking infrastructure Walk through Roslindale Village Discuss observations and recommend improvements Next Steps: Review report/submit comments

375 views • 19 slides
Example Protocol Layers* Exchange a file over a network that corrupts packets Networks

Example Protocol Layers* Exchange a file over a network that corrupts packets Networks

Example Protocol Layers* Exchange a file over a network that corrupts packets Networks are complex! o but doesnt lose or reorder them many pieces: A simple protocol o send file as a series of packets hosts Question:

200 views • 6 slides
Morphology: The Study of Word Structure How words are put together out of smaller pieces that

Morphology: The Study of Word Structure How words are put together out of smaller pieces that

Morphology: The Study of Word Structure How words are put together out of smaller pieces that linguists call morphemes , the minimal units of linguistic form and meaning. 1 / 41 dog, dog+s, bull+dog walk, walk+s, walk+ed, walk+ing,

806 views • 41 slides
CONDEMNATION PACKETS CONDEMNATION PACKETS How to Make Your L oc al Condemnation Attor ney

CONDEMNATION PACKETS CONDEMNATION PACKETS How to Make Your L oc al Condemnation Attor ney

CONDEMNATION PACKETS CONDEMNATION PACKETS How to Make Your L oc al Condemnation Attor ney Happy By L o rra ine Ne e le y, Atto rne y, Distric t 12 And Pa m Cla y-Yo ung , Atto rne y, Distric t 7 Na me a nd addre ss o f pro pe rty o

489 views • 25 slides
Quality of Service 90 % 9 7 % 9 8 % 99 % 3 QoS 2 Packets (%) 1 5 0 1 00 1 5 0 2 00 D e l a y (

Quality of Service 90 % 9 7 % 9 8 % 99 % 3 QoS 2 Packets (%) 1 5 0 1 00 1 5 0 2 00 D e l a y (

Quality of Service 90 % 9 7 % 9 8 % 99 % 3 QoS 2 Packets (%) 1 5 0 1 00 1 5 0 2 00 D e l a y ( milli sec ond s) Attempts to offer certain levels of service for real- time apps, e.g., video/audio streaming, VoIP, etc. May not have as

576 views • 18 slides
Rethink the Walk Bridge Rethink the Walk Bridge About Us Norwalk Harbor Keeper is a 501 (C) (3)

Rethink the Walk Bridge Rethink the Walk Bridge About Us Norwalk Harbor Keeper is a 501 (C) (3)

Rethink the Walk Bridge Rethink the Walk Bridge About Us Norwalk Harbor Keeper is a 501 (C) (3) non-profit organization. Its members are City of Norwalk residents. Its purpose is to advocate for clean and accessible waterways in and around

621 views • 13 slides
" Walk k fo for Hope 11 th Annual Albany Capital District Walk for Pancreatic Cancer

" Walk k fo for Hope 11 th Annual Albany Capital District Walk for Pancreatic Cancer

" Walk k fo for Hope 11 th Annual Albany Capital District Walk for Pancreatic Cancer Research Sunday, Sept. 7, 2014 Elm Avenue Town Park Delmar, New York 12054 Local Sponsorship Opportunities Sponsorship contact: Shari Piper Email:

164 views • 14 slides
STVM High School Program Christa Hovey, School Counselor & CCP Coordinator Packets I

STVM High School Program Christa Hovey, School Counselor & CCP Coordinator Packets I

STVM High School Program Christa Hovey, School Counselor & CCP Coordinator Packets I have assembled packets with all the information that you should need to work through the CCP process from Start to Finish. . My goal is to make

387 views • 35 slides
John Finley Walk ADA Ramps Located at East 82nd and East 83rd Streets, John Finley Walk Borough

John Finley Walk ADA Ramps Located at East 82nd and East 83rd Streets, John Finley Walk Borough

John Finley Walk ADA Ramps Located at East 82nd and East 83rd Streets, John Finley Walk Borough of Manhattan Community Board 8 Presentation May 3, 2017 Parks Capital Design GOALS Provide disabled accessibility to the John Finley Walk

370 views • 16 slides
LEASE EXTENSIONS PRESENTATION TO OWNERS OF MARINERS WALK MARINERS WALK AGM 30 th JULY 2012

LEASE EXTENSIONS PRESENTATION TO OWNERS OF MARINERS WALK MARINERS WALK AGM 30 th JULY 2012

LEASE EXTENSIONS PRESENTATION TO OWNERS OF MARINERS WALK MARINERS WALK AGM 30 th JULY 2012 David Robson MA(Oxon) MSc MRICS Tom Merralls (LLB) Solicitor Why should I extend my lease? Valuation and legal services How do we progress

622 views • 23 slides
Wave packets on Riemannian manifolds Jean-Marc Bouclet Institut de Math ematiques de Toulouse

Wave packets on Riemannian manifolds Jean-Marc Bouclet Institut de Math ematiques de Toulouse

Wave packets on Riemannian manifolds Jean-Marc Bouclet Institut de Math ematiques de Toulouse November 24, 2015 Wave packets: a review of basic facts Wave packets: a review of basic facts Canonical example: gaussian wave packet Wave

1.47k views • 129 slides

More recommend