the bro network intrusion detection system
play

The Bro Network Intrusion Detection System Robin Sommer Lawrence - PowerPoint PPT Presentation

Nov 29, 2023 •733 likes •1.14k views

The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory rsommer@lbl.gov http://www.icir.org UC Computing Services Conference 2007 Outline Design of the Bro NIDS Philosophy Architecture

  1. The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory rsommer@lbl.gov http://www.icir.org UC Computing Services Conference 2007

  2. Outline • Design of the Bro NIDS • Philosophy • Architecture • LBNL’s Bro Installation • Recent Developments • Dynamic Protocol Detection • The Bro Cluster • Outlook UC Computing Services Conference 2007 2

  3. Design of the Bro NIDS UC Computing Services Conference 2007 3

  4. System Philosophy • Bro provides a real-time network analysis framework • Primary a network intrusion detection system (NIDS) • However it is also used for pure traffic analysis • Focus is on • Application-level semantic analysis (rather than analyzing individual packets) • Tracking information over time • Strong separation of mechanism and policy • The core of the system is policy-neutral (no notion “good” or “bad”) • User provides local site policy UC Computing Services Conference 2007 4

  5. System Philosophy (2) • Operators program their policy • Not really meaningful to talk about what Bro detects “by default” • Analysis model is not signature matching • Bro is fundamentally different from, e.g., Snort (though it can do signatures as well) • Analysis model is not anomaly detection • Though it does support such approaches (and others) in principle • System thoroughly logs all activity • It does not just alert • Logs are invaluable for forensics UC Computing Services Conference 2007 5

  6. Target Environments • Bro is specifically well-suited for scientific environments • Extremely useful in networks with liberal (“default allow”) policies • High-performance on commodity hardware • Supports intrusion prevention schemes • Open-source (BSD license) • Developed at LBNL & the International Computer Science Institute • It does however require some effort to use effectively • Pretty complex, script-based system • Requires understanding of the network • No GUI, just ASCII logs • Only partially documented • Lacking resources to fully polish the system • Development is primarily driven by research • However, our focus is operational use; we invest much time into “practical” issues • Want to bridge gap between research and operational deployment UC Computing Services Conference 2007 6

  7. Architecture Network UC Computing Services Conference 2007 7

  8. Architecture Event Engine (Core) Packet Filter Filtered Packet Stream Network UC Computing Services Conference 2007 7

  9. Architecture Policy Scripts Real-time Notification Policy Script Interpreter Event Control Event Stream Event Engine (Core) Packet Filter Filtered Packet Stream Network UC Computing Services Conference 2007 7

  10. Event-Engine • Event-engine is written in C++ • Performs policy-neutral analysis • Turns low-level activity into high-level events • Examples: connection_established, http_request • Events are annoated with context (e.g., IP addresses, URL) • Contains analyzers for >30 protocols, including • ARP , IP , ICMP , TCP , UDP • DCE-RPC, DNS, FTP , Finger, Gnutella, HTTP , IRC, Ident, NCP , NFS, NTP , NetBIOS, POP3, Portmapper, RPC, Rsh, Rlogin, SMB, SMTP , SSH, SSL, SunRPC, Telnet • Analyzers generate ~300 events ... UC Computing Services Conference 2007 8

  11. Policy Scripts • Scripts process event stream, incorporating ... • ... context from past events • ... site’s local security policy • Scripts take actions • Recording activity to disk • Generating alerts via syslog or mail • Executing program as a form of response UC Computing Services Conference 2007 9

  12. Script Example: Tracking SSH Hosts global ssh_hosts: set[addr]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder’s address local service = c$id$resp_p; # Responder’s port if ( service != 22/tcp ) return; # Not SSH. if ( responder in ssh_hosts ) return; # We already know this one. add ssh_hosts[responder]; # Found a new host. print "New SSH host found", responder; } UC Computing Services Conference 2007 10

  13. Expressing Policy • Scripts are written in custom, domain-specific language • Bro ships with 20K+ lines of script code • Default scripts detect attacks & log activity extensively • Language is • Procedural • Event-based • Strongly typed • Rich in types • Usual script-language types, such as tables and sets • Domain-specific types, such as addresses, ports, subnets • Supporting state management (expiration, timers, etc.) • Supporting communication with other Bro instances UC Computing Services Conference 2007 11

  14. Communication Architecture Bro A Policy Script Interpreter Event Engine (Core) Network UC Computing Services Conference 2007 12

  15. Communication Architecture Bro A Bro B Policy Script Interpreter Policy Script Interpreter Event Engine (Core) Event Engine (Core) Network Network UC Computing Services Conference 2007 12

  16. Communication Architecture Bro A Bro B Policy Script Interpreter Policy Script Interpreter Event Engine (Core) Event Engine (Core) Network Network UC Computing Services Conference 2007 12

  17. Communication Architecture Bro A Bro B Policy Script Interpreter Policy Script Interpreter Event Engine (Core) Event Engine (Core) Network Network UC Computing Services Conference 2007 12

  18. LBNL’s Bro Installation UC Computing Services Conference 2007 13

  19. Bro at the Lawrence Berkeley Lab • LBNL has been using Bro for >10 years • Uses Bro to monitor its 10 Gbps Internet uplink • Bro is one of the main components of lab’s security • Several Bro boxes for different tasks • Bro automatically blocks attackers (~4000/day, mainly scanners) UC Computing Services Conference 2007 14

  20. LBNL Monitoring Setup External Internal Gateway Tap Tap 10GB 10GB (ESNet) (LBLNet) Dynamic acld Blocking Bro Bro Bro Bro Bro Bro UC Computing Services Conference 2007 15

  21. Recent Developments (1) The Bro Cluster UC Computing Services Conference 2007 16

  22. Motivation • NIDSs reach their limits on commodity hardware • Keep needing to do more analysis on more data at higher speeds • Analysis gets richer over timer, as attacks get more sophisticated • However, single CPU performance is not growing anymore the way it used to • Single NIDS instance (Snort, Bro) cannot cope with >=1Gbps links • Key to overcome current limits is parallel analysis • Volume is high but composed of many independent tasks • Need to exploit parallelism to cope with load UC Computing Services Conference 2007 17

  23. The Bro Cluster • Load-balancing approach: use many boxes instead of one • Most NIDS provide support for multi-system setups • However instances tend to work independent • Central manager collects alerts of independent NIDS instances • Aggregates results instead of correlating analysis • The Bro cluster works transparently like a single NIDS • Gives same results as single NIDS would if it could analyze all traffic • No loss in detection accuracy • Scalable to large number of nodes • Single system for user interface (log aggregation, configuration changes) UC Computing Services Conference 2007 18

  24. Architecture !"# +$%&"$,-( +$%&"$&% $%&'(")) )&%.#"/ !"# !"#$%&$'()#'&* 6,$,7&" 222 3"#45 0,1/&$'()#'&* UC Computing Services Conference 2007 19

  25. Prototype Setups • Lawrence Berkeley National Laboratory • Monitors 10 Gbps upstream link • 1 front-end, 10 backends • University of California, Berkeley • Monitors 2x1Gbps upstream links • 2 front-ends, 6 backends • IEEE Supercomputing 2006 • Conference’s 1 Gbps backbone network • 100 Gbps High Speed Bandwidth Challenge network (partially) • Goal: Replace current operational security monitoring UC Computing Services Conference 2007 20

  26. Front-Ends • Distribute traffic to back-ends by rewriting MACs • In software via Click (open-source “modular router”) • In hardware via Force-10’s P10 (prototype in collaboration with F10) • Fault-tolerance • Easy to retarget traffic if a back-end node fails • Per connection-hashing • Either 4-tuple (addrs,ports) or 2-tuple (addrs) • MD5 mod n, ADD mod n UC Computing Services Conference 2007 21

  27. Back-ends • Running Bro as their analysis engine • Bro provides extensive communication facilities • Independent state framework • Sharing of low-level state • Script-layer variables can be synchronized • Basic approach: pick state to be synchronized • A few subtleties needed to be solved • Central manager • Collects output of all instances • Raises alerts • Provides dynamic reconfiguration facilities UC Computing Services Conference 2007 22

  28. Evaluation & Outlook • Prototypes are running nicely • Are able to perform analysis not possible before • E.g., full HTTP analysis & Dynamic Protocol Detection/Analysis • Now in the process of making it production quality • Evaluation • Verified accuracy by comparing against single Bro instance • Evaluated performance wrt load-balancing quality, scalability, overhead UC Computing Services Conference 2007 23

Recommend

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

454 views • 18 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
A NEW HOD BASED INTRUSION DETECTION SYSTEM FOR WIRELESS SENSOR NETWORK IK2206: Internet Security

A NEW HOD BASED INTRUSION DETECTION SYSTEM FOR WIRELESS SENSOR NETWORK IK2206: Internet Security

A NEW HOD BASED INTRUSION DETECTION SYSTEM FOR WIRELESS SENSOR NETWORK IK2206: Internet Security and Privacy Sumanta Saha Md. Safiqul Islam Md. Sakhawat Hossen W IRELESS A D H OC N ETWORK Wireless ad hoc networks are autonomous nodes that

372 views • 15 slides
Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for

Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for Nuclear Power Plants Jae-Hee Roh a , Seok-Ki Lee a , Choul-Woong Son

362 views • 4 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Design and implementation of an intrusion detection system (IDS) for in-vehicle networks

Design and implementation of an intrusion detection system (IDS) for in-vehicle networks

Design and implementation of an intrusion detection system (IDS) for in-vehicle networks Presented by: Nors Salman Credits to my thesis partner: Marco Bresch Brief background: in-vehicle networks Controller Area Network (CAN) MOST

425 views • 23 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy School of Engineering, University of Warwick, UK Introduction Mainstream approaches in intrusion detection do not scale well to the embedded

936 views • 7 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides
Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost Lecture 11 Page 1 CS 236 Online

426 views • 13 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP Michael Rave Coen Steenbeek 7 February 2007 Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

203 views • 18 slides
Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications

253 views • 11 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides

More recommend