the bro network security monitor
play

The Bro Network Security Monitor Bro Integrations: Some Misc. Bro - PowerPoint PPT Presentation

Jun 19, 2023 •370 likes •584 views

The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA BroCon15 MIT, Cambridge, Massachusetts Agenda Outlining a few things Ive worked on ISLET - Software that can be used for Bro training

  1. The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA BroCon15 MIT, Cambridge, Massachusetts

  2. Agenda ◮ Outlining a few things I’ve worked on ◮ ISLET - Software that can be used for Bro training ◮ Mal-dnssearch - Create Bro intel feeds from command-line ◮ Sagan - Log analysis on Bro logs ◮ Nagios - A plug-in to monitor your Bro cluster Some Misc. Bro Related Stuff 2 / 1

  3. ISLET Isolated Scalable and Lightweight Environment for Training ◮ Background ◮ The brototype released at BroCon’14 as BroLive! ◮ Saw something greater and morphed into ISLET ◮ How? ◮ Linux kernel has namespaces and control groups ◮ Lightweight process virtualization ◮ A container based solution for easy deployment ◮ Why? ◮ Improve Bro training ◮ Containers have millisecond startup times ◮ Scalability - hundreds or thousands of users ◮ VM’s are slower, costlier, and larger Some Misc. Bro Related Stuff 3 / 1

  4. ISLET Cont. ◮ User Perspective: Looks and feels like a Virtual Machine ◮ User Perspective: Only needs a remote access tool like a ssh client ◮ Admin Perspective: Deployment of ISLET is dead simple Deploying Bro with ISLET $ git clone http://github.com/ncsa/islet && cd islet $ make bro-training Use $ ssh demo@islet.server.org Official Image: https://registry.hub.docker.com/u/broplatform/brolive/ Some Misc. Bro Related Stuff 4 / 1

  5. ISLET Cont. ◮ Published a paper on ISLET using Bro ◮ Substantiated container startup times with shell ◮ Compared costs using virtual machines and containers ◮ Benchmarked concurrent containers and simulated Bro users Retrieve Paper $ curl http://jonschipp.com/islet/islet-paper.pdf > islet-paper.pdf Some Misc. Bro Related Stuff 5 / 1

  6. ISLET/Bro Benchmark ◮ Simulated Bro training benchmark ◮ Program execution/response time is good indicator for training software ◮ EC2 c4.4xlarge(16CPU,30GB RAM) handles 100+ overly active users ◮ Anecdotally, 100+ users in the wild doing real training 30 Processing Time System Load (1 min avg) Processing Cutoff Point (6 sec) 25 Bro PCAP Processing Time (in seconds) 20 15 10 5 0 0 20 40 60 80 100 120 140 160 180 200 Number of Simulated Users Some Misc. Bro Related Stuff 6 / 1

  7. Mal-dnssearch Intel tool ◮ What? ◮ Command-line intelligence pulling and matching script ◮ Pulls existing feeds and supports many input logs e.g. PCAP, bind, Bro ◮ Can generate data for Bro Intelligence Framework ◮ Why? ◮ While writing the Bro and Intelligence Data post for the Bro blog I was looking for quick and easy way to test and create intel feeds. ◮ How? ◮ mal-dnssearch pulls latest feed and notifies on match with input log ◮ mal-dns2bro formats feeds for Intel Framework Some Misc. Bro Related Stuff 7 / 1

  8. Mal-dnssearch Cont. Intel tool ◮ Intel Framework generation examples Generate Snort Intel $ mal-dnssearch -M snort -p | mal-dns2bro -T ip -s snort -n false -u http://labs.snort.org/feeds/ip-filter.blf > snort.intel Generate Mandiant APT1 Intel $ mal-dnssearch -M mandiant -p | mal-dns2bro -T dns -s mandiant > mandiant.intel Generate custom feed $ mal-dns2bro -f my.md5 -T filehashes -s myorg -n true -u file://my.md5 > custom.intel Some Misc. Bro Related Stuff 8 / 1

  9. Sagan Log Analysis ◮ Background ◮ Plenty of people integrate Bro logs with SIEMs ◮ Many also do system log analysis, why not apply this to Bro’s logs? ◮ How? ◮ Use an existing log analysis tool ◮ OSSEC, Sagan ◮ Choice was Sagan because of existing Bro support and format language ◮ Bro Intel preprocessor to read feeds ◮ Popular and simple rule language ◮ Unified2 output, for easy integration with other tools e.g. Snorby, SGuil, Squert. ◮ Why? ◮ Wanted a quick way to write signatures without touching the cluster ◮ Analysis across host and Bro logs ◮ Maybe offload some work from a saturated Bro cluster Some Misc. Bro Related Stuff 9 / 1

  10. Sagan Detection ◮ Alert on Hola VPN attempts Simple pattern match alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] Hola Client"; content: "client.hola.org"; content: " POST "; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 86400; classtype: suspicious-traffic; sid: 11000000; rev:1;) Some Misc. Bro Related Stuff 10 / 1

  11. Sagan Detection Cont. ◮ Alert on excessive non-existent domains from source IP Count of NXDOMAIN matches alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BRO] Excessive NXDOMAIN Responses (10k)"; content: "NXDOMAIN"; after: track by_src, count 10000, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 3600; classtype: suspicious-traffic; sid: 11000005; rev:1;) ◮ Use Bro Intel preprocessor to alert after 10+ bad domains from src IP Count of intel DNS matches alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BRO] Excessive Bad Domains (10+)"; bro-intel: domain; after: track by_src, count 10, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 3600; classtype: suspicious-traffic; sid: 13000000; rev:1;) Some Misc. Bro Related Stuff 11 / 1

  12. Sagan Detection Cont. ◮ Proxy detection via CONNECT method using flowbits - no alert Possible proxy detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] Possible Proxy via CONNECT"; content: " CONNECT "; content: "ROXY-CONNECTION"; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set, bro_possible_proxy_connect, 60; flowbits: noalert; classtype: suspicious-traffic; sid: 11000002; rev:1;) ◮ Alert if we see a transfer from files.log after Proxy detection validation alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] Proxy Detected via CONNECT"; content: "SHA"; content:!"0.00"; pcre: "/SSL|HTTP|FTP/"; parse_src_ip: 2; parse_dst_ip: 1; flowbits: isset,by_src,bro_possible_proxy_connect; classtype: suspicious-traffic; sid: 11000004; rev:1;) Some Misc. Bro Related Stuff 12 / 1

  13. Sagan Detection Cont. ◮ Proxy detection via GET or POST method using flowbits - no alert Possible proxy detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] Possible Proxy via GET or POST"; pcre: "/ GET | POST /"; content: "ROXY-CONNECTION"; pcre: "/http|https|ftp:/"; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set, bro_possible_proxy_get, 60; flowbits: noalert; classtype: suspicious-traffic; sid: 11000001; rev:1;) ◮ Alert if we see a transfer from files.log after Proxy detection validation alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] Proxy Detected via GET or POST"; content: "SHA"; content:!"0.00"; pcre: "/SSL|HTTP|FTP/"; parse_src_ip: 2; parse_dst_ip: 1; flowbits: isset,by_src,bro_possible_proxy_get; classtype: suspicious-traffic; sid: 11000003; rev:1;) Some Misc. Bro Related Stuff 13 / 1

  14. Sagan Plans ◮ Write more rules and get them in upstream sagan-rules ◮ Write Bro log normalization rules with liblognorm (testing them now) ◮ Continue to work with Champ "Da Beave" on improving Sagan for Bro Some Misc. Bro Related Stuff 14 / 1

  15. Nagios Plugin ◮ What? ◮ Nagios plug-in to monitor a Bro cluster ◮ Worker status ◮ Packet loss (netstats, Myricom) ◮ Capture loss (capture_loss.log) ◮ Why? ◮ Very the cluster is working and running as expected ◮ How? ◮ Using the Nagios plugin API Some Misc. Bro Related Stuff 15 / 1

  16. Nagios Cont. ◮ Check worker status, critical on stopped or crashed workers Status check_bro.sh -f /bro/bin/broctl -T status ◮ Critical if average packet loss is 10% or greater for specified workers Packet Loss check_bro.sh -f /bro/bin/broctl -T loss -i "nids01,nids02" -c 10 ◮ Critical if capture loss is 10% or greater Capture Loss check_bro.sh -f /bro/logs/current/capture_loss.log -T capture_loss -c 10 ◮ Check packet counters for the following nodes Myricom Packet Counters check_bro.sh -f /opt/snf/bin/myri_counters -T myricom -i "1.1.1.4,1.1.1.5" Some Misc. Bro Related Stuff 16 / 1

  17. Nagios Cont. Plans ◮ Support PF_RING and netmap stats ◮ Use API when broctld is out ◮ Check for communication and other noteworthy errors Retrieve $ git clone https://github.com/jonschipp/nagios-plugins Some Misc. Bro Related Stuff 17 / 1

  18. Feedback/Questions ◮ If you play with this stuff let me know how it’s going ◮ Patches welcome Contact Talk to me Tweet me: @JonSchipp E-mail me: jonschipp@gmail.com, jschipp@illinois.edu Some Misc. Bro Related Stuff 18 / 1

  19. References I Official repository on Github. In https://github.com/jonschipp/islet Schipp, J., Dopheide, J., and Slagell, A., in the proceedings of XSEDE 2015, St. Louis, MO, Jul., 15. ISLET: An Isolated, Scalable, & Lightweight Environment for Training. In http://jonschipp.com/islet/islet-paper.pdf Officical repository on Github. In https://github.com/jonschipp/mal-dnssearch Sagan: A multi-threaded log analysis engine. In http://sagan.quadrantsec.com/ Some Misc. Bro Related Stuff 19 / 1

  20. References II Officical repository on Github. In https://github.com/jonschipp/nagios-plugins Some Misc. Bro Related Stuff 20 / 1

Recommend

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Outline 1. The Bro Difference 2. Abstract Use Cases 3. From Post-Facto to

530 views • 23 slides
The Bro Network Security Monitor Robin Sommer International Computer Science Institute, &

The Bro Network Security Monitor Robin Sommer International Computer Science Institute, &

The Bro Network Security Monitor Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin What is Bro? 2 The Bro Network Security Monitor What is

1.44k views • 126 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Tools of the Trade Basic Toolbox 1. awk 2. head/tail 3. sort 4. uniq 5. bro-cut 2 / 9

627 views • 41 slides
The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI

The Bro Network Security Monitor Tools of the Trade Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Tools of the Trade Basic Toolbox 1. awk 2. head/tail 3. sort 4. uniq 5. bro-cut 2 / 9

128 views • 9 slides
NENC London Adult Critical Care Network Transfer audit Why monitor Role of network to

NENC London Adult Critical Care Network Transfer audit Why monitor Role of network to

NENC London Adult Critical Care Network Transfer audit Why monitor Role of network to monitor transfers Documentation Medico legal document Audit to learn from incidents Developing the training and competencies

510 views • 12 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
System and Network Management Network Management : ability to monitor, control and plan the

System and Network Management Network Management : ability to monitor, control and plan the

1-1 System and Network Management Network Management : ability to monitor, control and plan the resources and components of computer system and networks network management is a problem created by computer! Goal of network management :

189 views • 8 slides
Dual-Monitor Mount Op/ons 12/21/15 1 Why Do We Need Monitor Arms? Removes the monitor from the

Dual-Monitor Mount Op/ons 12/21/15 1 Why Do We Need Monitor Arms? Removes the monitor from the

Dual-Monitor Mount Op/ons 12/21/15 1 Why Do We Need Monitor Arms? Removes the monitor from the desk freeing up valuable desk space Facilitates instant height and depth adjustment of the screen/s for comfortable viewing and op/mal

393 views • 14 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter 6: Reference Monitors Chapter 6: 2 Agenda Reference monitor, security kernel, and TCB Placing the reference monitor Status information

533 views • 37 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 6: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 6: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 6: 1 Chapter 6: Reference Monitors Chapter 6: 2 Agenda Reference monitor, security kernel, and TCB Placing the reference monitor Status information

640 views • 41 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides
13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context Computers connected in a network - but also: smartphones, fridges, IoT devices, Each device has an IP address Packets are routed via

771 views • 51 slides
Re Re-thinking Ne Network Security in the Presence of Unknown Ne Network Elements Soo-Jin Moon

Re Re-thinking Ne Network Security in the Presence of Unknown Ne Network Elements Soo-Jin Moon

Re Re-thinking Ne Network Security in the Presence of Unknown Ne Network Elements Soo-Jin Moon 4 th year Ph.D. Student Carnegie Mellon University Advisor: Vyas Sekar Research Area: Network Security A Vulnerable Network! Networks: explosion

583 views • 7 slides

More recommend