the bro network security monitor
play

The Bro Network Security Monitor Robin Sommer International - PowerPoint PPT Presentation

Mar 04, 2023 •178 likes •1.44k views

The Bro Network Security Monitor Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin What is Bro? 2 The Bro Network Security Monitor What is

  1. Example Logs > bro -i en0 [ ... wait ...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration 1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.0 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 > cat http.log 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.0 #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.0 1144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0 7 The Bro Network Security Monitor

  2. Identifying HTTP Servers 8 The Bro Network Security Monitor

  3. Identifying HTTP Servers Server Addresses a198-189-255-200.deploy.akamaitechnolgies.com a198-189-255-216.deploy.akamaitechnolgies.com a198-189-255-217.deploy.akamaitechnolgies.com a198-189-255-230.deploy.akamaitechnolgies.com a198-189-255-225.deploy.akamaitechnolgies.com a198-189-255-206.deploy.akamaitechnolgies.com a198-189-255-201.deploy.akamaitechnolgies.com a198-189-255-223.deploy.akamaitechnolgies.com 72.21.91.19 a198-189-255-208.deploy.akamaitechnolgies.com a198-189-255-207.deploy.akamaitechnolgies.com nuq04s07-in-f27.1e100.net a184-28-157-55.deploy.akamaitechnologies.com a198-189-255-224.deploy.akamaitechnolgies.com a198-189-255-209.deploy.akamaitechnolgies.com a198-189-255-222.deploy.akamaitechnolgies.com a198-189-255-214.deploy.akamaitechnolgies.com nuq04s06-in-f27.1e100.net upload-lb.pmtpa.wikimedia.org nuq04s08-in-f27.1e100.net 8 The Bro Network Security Monitor

  4. Identifying HTTP Servers Server Addresses HTTP Host Headers a198-189-255-200.deploy.akamaitechnolgies.com ad.doubleclick.net a198-189-255-216.deploy.akamaitechnolgies.com ad.yieldmanager.com a198-189-255-217.deploy.akamaitechnolgies.com b.scorecardresearch.com a198-189-255-230.deploy.akamaitechnolgies.com clients1.google.com a198-189-255-225.deploy.akamaitechnolgies.com googleads.g.doubleclick.net a198-189-255-206.deploy.akamaitechnolgies.com graphics8.nytimes.com a198-189-255-201.deploy.akamaitechnolgies.com l.yimg.com a198-189-255-223.deploy.akamaitechnolgies.com liveupdate.symantecliveupdate.com 72.21.91.19 mt0.google.com a198-189-255-208.deploy.akamaitechnolgies.com pixel.quantserve.com a198-189-255-207.deploy.akamaitechnolgies.com platform.twitter.com nuq04s07-in-f27.1e100.net profile.ak.fbcdn.net a184-28-157-55.deploy.akamaitechnologies.com s0.2mdn.net a198-189-255-224.deploy.akamaitechnolgies.com safebrowsing-cache.google.com a198-189-255-209.deploy.akamaitechnolgies.com static.ak.fbcdn.net a198-189-255-222.deploy.akamaitechnolgies.com swcdn.apple.com a198-189-255-214.deploy.akamaitechnolgies.com upload.wikimedia.org nuq04s06-in-f27.1e100.net www.facebook.com upload-lb.pmtpa.wikimedia.org www.google-analytics.com nuq04s08-in-f27.1e100.net www.google.com 8 The Bro Network Security Monitor

  5. File Content 9 The Bro Network Security Monitor

  6. File Content 192.168.1.102 GET /skins-1.5/common/images/magnify-clip.png image/png - 192.168.1.102 GET /skins-1.5/monobook/external.png image/png - 192.168.1.102 GET /softw/90/update/avg9infoavi.ctf text/plain - 192.168.1.102 GET /softw/90/update/avg9infowin.ctf text/plain - 192.168.1.102 GET /softw/90/update/u7avi1777u1705ff.bin application/x-dosexec 0210a9516dd34abc481683f877bd8680 192.168.1.102 GET /softw/90/update/u7avi1778u1705z7.bin application/x-dosexec 9bd8e3a274d8ada852bc3d9736116bf6 192.168.1.102 GET /softw/90/update/u7iavi2511u2510ff.bin application/x-dosexec 5e63f63fd955207610a56dbd89d8688f 192.168.1.102 GET /softw/90/update/u7iavi2512u2511z7.bin application/x-dosexec a8e1ef490967ef7eb6641bef9eed4003 192.168.1.102 GET /softw/90/update/x8xplsb2_118c8.bin application/x-dosexec e6915411c5550e9fbf33ef15fed75e5a 192.168.1.102 GET /softw/90/update/x8xplsc_149d148c8.bin application/x-dosexec db5b04f3c45da4c0686c678bfd0e241c 192.168.1.102 GET /sports/ text/html - 9 The Bro Network Security Monitor

  7. Software Logging 10 The Bro Network Security Monitor

  8. Software Logging 192.168.1.104 HTTP::BROWSER Windows-Update-Agent - - Windows-Update-Agent 65.54.95.64 HTTP::SERVER Microsoft-IIS 6 0 Microsoft-IIS/6.0 65.54.95.64 HTTP::APPSERVER ASP.NET - - ASP.NET 65.55.184.16 HTTP::SERVER Microsoft-IIS 7 0 Microsoft-IIS/7.0 65.55.184.16 HTTP::APPSERVER ASP.NET - - ASP.NET 192.168.1.102 HTTP::BROWSER SCSDK 6 0 SCSDK-6.0.0 212.227.97.133 HTTP::SERVER Apache 2 2 Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 212.227.97.133 HTTP::APPSERVER PHP 5 2 PHP/5.2.6-1+lenny3 87.106.1.47 HTTP::SERVER Apache 2 2 Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 87.106.1.47 HTTP::APPSERVER PHP 5 2 PHP/5.2.6-1+lenny3 87.106.1.89 HTTP::SERVER Apache 2 2 Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 87.106.1.89 HTTP::APPSERVER PHP 5 2 PHP/5.2.6-1+lenny3 87.106.12.47 HTTP::SERVER Apache 2 2 Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 87.106.12.47 HTTP::APPSERVER PHP 5 2 PHP/5.2.6-1+lenny3 87.106.12.77 HTTP::SERVER Apache 2 2 Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 87.106.12.77 HTTP::APPSERVER PHP 5 2 PHP/5.2.6-1+lenny3 87.106.66.233 HTTP::SERVER Apache 2 0 Apache/2.0.54 (Debian GNU/Linux) 87.106.66.233 HTTP::APPSERVER PHP 4 3 PHP/4.3.10-22 87.106.9.29 HTTP::SERVER Apache 2 2 Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 87.106.9.29 HTTP::APPSERVER PHP 5 2 PHP/5.2.6-1+lenny3 10 The Bro Network Security Monitor

  9. SSL Certificate Logging 11 The Bro Network Security Monitor

  10. SSL Certificate Logging 65.55.184.16 CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com 66.235.128.158 CN=Sun Microsystems Inc SSL CA,OU=Class 3 MPKI Secure Server CA,OU=VeriSign 65.55.184.155 CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com 65.55.16.121 CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com 65.54.186.79 CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at 96.6.248.124 CN=Akamai Subordinate CA 3,O=Akamai Technologies Inc,C=US 96.6.245.186 CN=Akamai Subordinate CA 3,O=Akamai Technologies Inc,C=US 66.235.139.152 OU=Equifax Secure Certificate Authority,O=Equifax,C=US 65.54.234.75 CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at 96.6.244.212 CN=Akamai Subordinate CA 3,O=Akamai Technologies Inc,C=US 216.223.0.208 CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US 98.137.50.24 OU=Equifax Secure Certificate Authority,O=Equifax,C=US 63.245.209.39 OU=Equifax Secure Certificate Authority,O=Equifax,C=US 65.55.184.27 CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com 11 The Bro Network Security Monitor

  11. Brownian 12 The Bro Network Security Monitor

  12. Architecture Packets Network 13 The Bro Network Security Monitor

  13. Architecture Events Event Engine Protocol Decoding Packets Network 13 The Bro Network Security Monitor

  14. Architecture Logs Notification Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 13 The Bro Network Security Monitor

  15. Architecture Logs Notification “User Interface” Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 13 The Bro Network Security Monitor

  16. Event Model Web Request for /index.html Web Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 14 The Bro Network Security Monitor

  17. Event Model Web Request for /index.html Web Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 Stream of TCP packets ... ... SYN SYN ACK ACK ACK ACK FIN FIN 14 The Bro Network Security Monitor

  18. Event Model Web Request for /index.html Web Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 Stream of TCP packets ... ... SYN SYN ACK ACK ACK ACK FIN FIN Event connection_established(1.2.3.4/4321 ⇒ 5.6.7.8/80) 14 The Bro Network Security Monitor

  19. Event Model Web Request for /index.html Web Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 Stream of TCP packets ... ... SYN SYN ACK ACK ACK ACK FIN FIN Event connection_established(1.2.3.4/4321 ⇒ 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 ⇒ 5.6.7.8/80, “GET”, “/index.html”) 14 The Bro Network Security Monitor

  20. Event Model Web Request for /index.html Web Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 Stream of TCP packets ... ... SYN SYN ACK ACK ACK ACK FIN FIN Event connection_established(1.2.3.4/4321 ⇒ 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 ⇒ 5.6.7.8/80, “GET”, “/index.html”) TCP stream reassembly for responder Event http_reply(1.2.3.4/4321 ⇒ 5.6.7.8/80, 200, “OK”, data ) 14 The Bro Network Security Monitor

  21. Event Model Web Request for /index.html Web Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 Stream of TCP packets ... ... SYN SYN ACK ACK ACK ACK FIN FIN Event connection_established(1.2.3.4/4321 ⇒ 5.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/4321 ⇒ 5.6.7.8/80, “GET”, “/index.html”) TCP stream reassembly for responder Event http_reply(1.2.3.4/4321 ⇒ 5.6.7.8/80, 200, “OK”, data ) connection_finished(1.2.3.4/4321, 5.6.7.8/80) Event 14 The Bro Network Security Monitor

  22. Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 15 The Bro Network Security Monitor

  23. Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 15 The Bro Network Security Monitor

  24. Script Example: Scan Detector Task: Count failed connection attempts per source address . 16 The Bro Network Security Monitor

  25. Script Example: Scan Detector Task: Count failed connection attempts per source address . global attempts : table[addr] of count &default=0; event connection_rejected (c: connection) { local source = c$id$orig_h; # Get source address. local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NOTICE(...); # Alarm. } 16 The Bro Network Security Monitor

  26. Distributed Scripts 17 The Bro Network Security Monitor

  27. Distributed Scripts Bro comes with >10,000 lines of script code. Prewritten functionality that’s just loaded. Scripts generate all the logs. Amendable to extensive customization and extension. 17 The Bro Network Security Monitor

  28. Bro Ecosystem Tap Internal Internet Network Bro 18 The Bro Network Security Monitor

  29. Bro Ecosystem Tap Internal Internet Network Bro Control Output BroControl User Interface 18 The Bro Network Security Monitor

  30. Bro Ecosystem Tap Internal Internet Network Contributed Functionality Bro Scripts Control Output BroControl User Interface 18 The Bro Network Security Monitor

  31. Bro Ecosystem Tap Internal Internet Network Events Contributed Functionality Bro Other Bros Scripts State Control Output BroControl User Interface 18 The Bro Network Security Monitor

  32. Bro Ecosystem Tap Internal Internet Network Events Contributed Functionality Bro Other Bros Scripts State Control Output Events Bro Client Communication Library BroControl Broccoli User Interface 18 The Bro Network Security Monitor

  33. Bro Ecosystem Tap Internal Internet Network Events Contributed Functionality Bro Other Bros Scripts State Control Output Events Bro Client Communication Library BroControl Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 18 The Bro Network Security Monitor

  34. Bro Ecosystem Time Machine Tap Internal Tap Internet Network Events Contributed Functionality Bro Other Bros Scripts State Control Output Events Bro Client Communication Library BroControl Broccoli Python Broccoli Broccoli Ruby User Interface (Broccoli Perl) 18 The Bro Network Security Monitor

  35. Bro Ecosystem Time Machine Tap Internal Tap Internet Network Events Contributed Functionality Bro Other Bros Scripts State Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface (Broccoli Perl) 18 The Bro Network Security Monitor

  36. Bro Ecosystem Time Machine Bro Distribution Tap Internal Tap Internet bro-2.1.tar.gz Network Events Contributed Functionality Bro Other Bros Scripts State Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface (Broccoli Perl) 18 The Bro Network Security Monitor

  37. Bro Ecosystem Time Machine Bro Distribution Tap Internal Tap Internet bro-2.1.tar.gz Network Events Contributed Functionality Bro Other Bros Scripts State Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface (Broccoli Perl) http:://www.bro-ids.org/download git://git.bro-ids.org 18 The Bro Network Security Monitor

  38. Bro Cluster Ecosystem Tap Internal Internet Network Events Contributed Functionality Bro External Bro Scripts State Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface (Broccoli Perl) 19 The Bro Network Security Monitor

  39. Bro Cluster Ecosystem Tap Internal Internet Network Events Contributed Functionality Bro External Bro Scripts State Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface (Broccoli Perl) 19 The Bro Network Security Monitor

  40. Bro Cluster Ecosystem Tap Internal Internet Network Load- Balancer Events Contributed Functionality Bro External Bro Scripts State Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface (Broccoli Perl) 19 The Bro Network Security Monitor

  41. Bro Cluster Ecosystem Tap Internal Internet Network Load- Balancer Packets Events Contributed Functionality Bro Bro Bro Bro Bro External Bro Scripts State Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface (Broccoli Perl) 19 The Bro Network Security Monitor

  42. Bro Cluster Ecosystem Tap Internal Internet Network Load- Balancer Packets Events Contributed Functionality Bro Bro Bro Bro Bro External Bro Scripts State Control Output Control Output Events Bro Client Communication Library bro-aux BinPAC capstats BroControl BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface User Interface (Broccoli Perl) 19 The Bro Network Security Monitor

  43. Bro Cluster Ecosystem Tap Internal Internet Network Load- Balancer Packets “Frontend” Events Contributed Functionality Bro Bro Bro Bro Bro External Bro Scripts State “Workers” Control Output Control Output Events Bro Client Communication Library “Manager” bro-aux BinPAC capstats BroControl BroControl Broccoli Python trace- BTest Broccoli summary Broccoli Ruby User Interface User Interface (Broccoli Perl) 19 The Bro Network Security Monitor

  44. A Production Load-Balancer cFlow: 10GE line-rate, stand-alone load-balancer 10 Gb/s in/out Web & CLI Filtering capabilities Available from cPacket 20 The Bro Network Security Monitor

  45. A Production Load-Balancer cFlow: 10GE line-rate, stand-alone load-balancer 10 Gb/s in/out Web & CLI Filtering capabilities Available from cPacket 20 The Bro Network Security Monitor

  46. Indiana University Indiana University OpenFlow Deployment v.1.0 Bloomington CIC Chicago Chicago Testlab 2 Nodes via 8 OpenFlow Switches 10 Gig 10 Gig via 2 Nodes via DWDM System Test Servers 5 Nodes IU Production Indianapolis Deployment 2 Nodes IU Wireless SSID: ICTC OpenFlow Testpoint InterOp lab Informatics Layer 3 router West on OpenFlow Informatics switches East Telcom Bldn Lindley Workshop Hall 12 x 10G IDS 6 x 10G IU Cluster Core Monitoring 12 servers Network 4 OpenFlow Indianapolis switches OpenFlow load balancer VM Server Source: Indiana University 21 The Bro Network Security Monitor

  47. Indiana University Indiana University OpenFlow Deployment v.1.0 Bloomington CIC Chicago Chicago Testlab 2 Nodes via 8 OpenFlow Switches 10 Gig 10 Gig via 2 Nodes via DWDM System Test Servers 5 Nodes IU Production Indianapolis Deployment 2 Nodes IU Wireless SSID: ICTC OpenFlow Testpoint InterOp lab Informatics Layer 3 router West on OpenFlow Informatics switches East Telcom Bldn Lindley Workshop Hall 12 x 10G IDS 6 x 10G IU Cluster Core Monitoring 12 servers Network 4 OpenFlow Indianapolis switches OpenFlow load balancer VM Server Source: Indiana University 21 The Bro Network Security Monitor

  48. External Events: Broccoli 22 The Bro Network Security Monitor

  49. External Events: Broccoli “Auditing SSHD” 22 The Bro Network Security Monitor

  50. External Events: Broccoli “Auditing SSHD” STUNNEL' SSLOGMUX' PARENT' SSHD' BROPIPE' CHILD' SSHD' Source: Scott Campbell / NERSC 22 The Bro Network Security Monitor

  51. NERSC Computer Use Policies Form Monitoring and Privacy Users have no explicit or implicit expectation of privacy. NERSC retains the right to monitor the content of all activities on NERSC systems and networks and access any computer files without prior knowledge or consent of users, senders or recipients. NERSC may retain copies of any network traffic, computer files or messages indefinitely without prior knowledge or consent. 23 The Bro Network Security Monitor

  52. The Security Fence . Cartoon Courtesy Clay Bennett / The Christian Science Monitor 24 The Bro Network Security Monitor

  53. Version 2.0 (Jan 2012) 25 The Bro Network Security Monitor

  54. Version 2.0 (Jan 2012) Default scripts rewritten from scratch. Focus on ease of use and operational deployment. New logging infrastructure. New build and packaging system. New auto-documentation system (Broxygen). Lots of bugs fixed. Obsolete code removed. New development infrastructure. New regression testing framework. New web server. New mailing lists. New logo. 25 The Bro Network Security Monitor

  55. Just released ... 26 The Bro Network Security Monitor

  56. Just released ... Bro 2.1 Comprehensive IPv6 support. Tunnel decapsulation. New logging formats (DataSeries / ElasticSearch) Input Framework 26 The Bro Network Security Monitor

  57. Input Framework Example: Blacklists IP Reason Timestamp 66.249.66.1 Connected to honeypot 1333252748 208.67.222.222 Too many DNS requests 1330235733 192.150.186.11 Sent spam 1333145108 27 The Bro Network Security Monitor

  58. User Interface 28 The Bro Network Security Monitor

  59. User Interface type Index : record { ip : addr; }; type Value : record { reason : string; timestamp : time; }; global blacklist : table[ addr ] of Value ; Input:: add_table (source=" blacklist.tsv ", idx= Index , val= Value , destination=blacklist); (Syntax simplified.) 28 The Bro Network Security Monitor

  60. User Interface type Index : record { ip : addr; }; type Value : record { reason : string; timestamp : time; }; global blacklist : table[ addr ] of Value ; Input:: add_table (source=" blacklist.tsv ", idx= Index , val= Value , destination=blacklist); (Syntax simplified.) event connection_established (c: connection) { if ( c$id$orig_h in blacklist ) alarm(...) } 28 The Bro Network Security Monitor

  61. Current Research 29 The Bro Network Security Monitor

  62. Performace: 100 Gb/s Now these sites need a monitoring solution ... Working with cPacket on a 100GE load- balancer! DOE/ESNet 100G Advanced Networking Initiative Source: ESNet Source: ESNet 30 The Bro Network Security Monitor

  63. Production Backbone in Planing 31 The Bro Network Security Monitor

  64. 100 Gb/s Load-balancer The Bro Network Security Monitor

  65. 100 Gb/s Load-balancer cFlow 100G 100Gbps 10Gb/s Bro Cluster The Bro Network Security Monitor

  66. 100 Gb/s Load-balancer cFlow 100G 100Gbps API 10Gb/s Control Bro Cluster The Bro Network Security Monitor

  67. Concurrent Analysis Logs Notification Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 33 The Bro Network Security Monitor

  68. Concurrent Analysis Logs Notification Single Thread Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 33 The Bro Network Security Monitor

  69. Architecture Notification Scripting Language Script Threads Detection Logic Events Event Engine Event Engine Packet Analysis Threads Packet Dispatcher (NIC) Packets Dispatcher Network 34 The Bro Network Security Monitor

  70. Architecture Notification Scripting Language Script Threads Detection Logic Events Event Engine Event Engine Packet Analysis Threads “Cluster in a Box” Packet Dispatcher (NIC) Packets Dispatcher Network 34 The Bro Network Security Monitor

  71. Architecture How to parallelize a scripting language? Notification Scripting Language Script Threads Detection Logic Events Event Engine Event Engine Packet Analysis Threads “Cluster in a Box” Packet Dispatcher (NIC) Packets Dispatcher Network 34 The Bro Network Security Monitor

  72. Parallel Event Scheduling Threaded Script Interpreter Thread Thread Thread Thread Thread … 1 2 3 4 n Queue Queue Queue Queue Queue Queue 35 The Bro Network Security Monitor

  73. Parallel Event Scheduling Threaded Script Interpreter Thread Thread Thread Thread Thread … 1 2 3 4 n Queue Queue Queue Queue Queue Queue Conn A http_request 35 The Bro Network Security Monitor

  74. Parallel Event Scheduling Threaded Script Interpreter Thread Thread Thread Thread Thread … 1 2 3 4 n Queue Queue Queue Queue Queue Queue Conn A Conn A http_request http_reply 35 The Bro Network Security Monitor

  75. Parallel Event Scheduling Threaded Script Interpreter Thread Thread Thread Thread Thread … 1 2 3 4 n Queue Queue Queue Queue Queue Queue Conn A Conn A Conn B http_request http_reply http_request 35 The Bro Network Security Monitor

  76. Parallel Event Scheduling Threaded Script Interpreter Thread Thread Thread Thread Thread … 1 2 3 4 n Queue Queue Queue Queue Queue Queue Conn A Conn A Conn B Orig X http_request http_reply http_request conn_rejected 35 The Bro Network Security Monitor

  77. Parallel Event Scheduling Threaded Script Interpreter Thread Thread Thread Thread Thread … 1 2 3 4 n Queue Queue Queue Queue Queue Queue Conn A Conn A Conn B Orig X Orig Y http_request http_reply http_request conn_rejected conn_rejected 35 The Bro Network Security Monitor

Recommend

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Outline 1. The Bro Difference 2. Abstract Use Cases 3. From Post-Facto to

530 views • 23 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA

The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA

The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA BroCon15 MIT, Cambridge, Massachusetts Agenda Outlining a few things Ive worked on ISLET - Software that can be used for Bro training

584 views • 20 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Tools of the Trade Basic Toolbox 1. awk 2. head/tail 3. sort 4. uniq 5. bro-cut 2 / 9

627 views • 41 slides
The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Tools of the Trade Basic Toolbox 1. awk 2. head/tail 3. sort 4. uniq 5. bro-cut 2 / 9

128 views • 9 slides
NENC London Adult Critical Care Network Transfer audit Why monitor Role of network to

NENC London Adult Critical Care Network Transfer audit Why monitor Role of network to

NENC London Adult Critical Care Network Transfer audit Why monitor Role of network to monitor transfers Documentation Medico legal document Audit to learn from incidents Developing the training and competencies

510 views • 12 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
System and Network Management Network Management : ability to monitor, control and plan the

System and Network Management Network Management : ability to monitor, control and plan the

1-1 System and Network Management Network Management : ability to monitor, control and plan the resources and components of computer system and networks network management is a problem created by computer! Goal of network management :

189 views • 8 slides
Dual-Monitor Mount Op/ons 12/21/15 1 Why Do We Need Monitor Arms? Removes the monitor from the

Dual-Monitor Mount Op/ons 12/21/15 1 Why Do We Need Monitor Arms? Removes the monitor from the

Dual-Monitor Mount Op/ons 12/21/15 1 Why Do We Need Monitor Arms? Removes the monitor from the desk freeing up valuable desk space Facilitates instant height and depth adjustment of the screen/s for comfortable viewing and op/mal

393 views • 14 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter 6: Reference Monitors Chapter 6: 2 Agenda Reference monitor, security kernel, and TCB Placing the reference monitor Status information

533 views • 37 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 6: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 6: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 6: 1 Chapter 6: Reference Monitors Chapter 6: 2 Agenda Reference monitor, security kernel, and TCB Placing the reference monitor Status information

640 views • 41 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides
13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context Computers connected in a network - but also: smartphones, fridges, IoT devices, Each device has an IP address Packets are routed via

771 views • 51 slides
Re Re-thinking Ne Network Security in the Presence of Unknown Ne Network Elements Soo-Jin Moon

Re Re-thinking Ne Network Security in the Presence of Unknown Ne Network Elements Soo-Jin Moon

Re Re-thinking Ne Network Security in the Presence of Unknown Ne Network Elements Soo-Jin Moon 4 th year Ph.D. Student Carnegie Mellon University Advisor: Vyas Sekar Research Area: Network Security A Vulnerable Network! Networks: explosion

583 views • 7 slides

More recommend