The Bro Intrusion Detection - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

The Bro Intrusion Detection

Description:

SC2003, Phoenix, AZ. Bro. High performance intrusion detection system developed at LBNL and ACRI ... SC2003, Phoenix, AZ. Real Time Processing ... – PowerPoint PPT presentation

Number of Views:376
Avg rating:3.0/5.0
Slides: 25
Provided by: Steph114
Category:

less

Transcript and Presenter's Notes

Title: The Bro Intrusion Detection


1
The Bro Intrusion Detection
  • Stephen Lau
  • NERSC/LBNL
  • November 20, 2003
  • SC2003
  • Phoenix, AZ

2
Bro
  • High performance intrusion detection system
    developed at LBNL and ACRI
  • Vern Paxson primary developer
  • Based on operational experience with high
    performance networks
  • Grew out of tools developed to optimize and
    analyze network traffic
  • Bro Development Goals
  • High speed network monitoring
  • Low packet loss rate
  • Mechanism separate from policy

3
Bro State Model
  • Bro maintains and analyzes state
  • Keeps track of all network connections
  • Reacts to network behavior patterns
  • Signature based systems
  • i.e. Snort, RealSecure
  • Matches patterns seen in network streams

4
Bro Structure
  • Packet capture and filter
  • Built on libpcap
  • Event Engine
  • Evaluates packets
  • Maintains state of the network connections
  • Generates events
  • Policy Script Interpreter
  • Executes scripts written in policy language

5
Bro Structure
Real Time Notification / Record to Disk
Policy Script
Policy Script Interpreter
Event Stream
Event Control
Event Engine
Filtered Packet Stream
tcpdump filter
libpcap
Packet Stream
Network
6
Bro Structure
  • Real time processing
  • Analysis of real time traffic
  • Reaction to any significant events
  • Traffic filtered to only interesting traffic
  • Offline processing
  • Bro capable of archiving network traffic
  • Allows for more detailed analysis
  • Less traffic is filtered

7
Real Time Processing
  • Works in conjunction with border router to drop
    (shun) hosts at the border
  • Capable of injecting RST packets into stream
  • Code Red Worm instances
  • SSH vulnerability exploits
  • Establishes real time alerts based on policy

8
Offline Processing
  • Detects stepping stones
  • Compromised system used as a gateway
  • Detects backdoors
  • i.e. telnet servers on non-standard port
  • Detects file sharing systems
  • Gnutella, Napster, KaZaa

Network DMZ
External Attacker
Compromised Internal System
External Victim
Bro
9
Bro in Practical Use
  • Primary IDS for LBNL/NERSC since 1996
  • Primary IDS for SC00-03 conferences
  • No specialized hardware needed
  • Low cost allows for multiple deployment
  • Requirements
  • FreeBSD
  • Intel platform
  • Fiber tap
  • Disk space to archive data

10
Defense in Depth
  • Host Level
  • Anti Virus Software
  • Active Scanning
  • Unused services
  • disabled
  • Process Accounting
  • Encrypted Passwords
  • Users / staff
  • Staff Security Team
  • Usage Agreements
  • Periodic training
  • Emails on key issues
  • Internal Network
  • Network Isolation
  • Firewalls
  • Subnet traffic
  • filtering

11
Use of Bro Within NERSC
ESNet
Multiple Bro Systems
  • Real Time Analysis
  • Redundant Backup
  • Test Box
  • Bulk Traffic Recorder

Tapped Traffic
Network Traffic

Filtering Border Router
ACL Insertion
Multiple IDS
  • Snort
  • Bro Heavyweight Protocol Analysis
  • Bro GRID / SSL Analysis

Tapped Traffic
Tapped Traffic
  • Internal Traffic Bro Monitor
  • Wireless Network Bro Monitor

NERSC
Wireless Network
12
Bro at NERSC
  • 24/7 monitoring
  • Tied into a paging system for on-call security
    person
  • Bro checkpointed at set intervals
  • Clears out orphaned sessions
  • Allows for offline data analysis
  • Data archiving
  • Maintain traffic data for about 3 months
  • Anything beyond that is subpoena bait
  • Maintain network connection data forever

13
NERSC Network Traffic3 Week Period
14
Total NERSC Connections
15
Valid NERSC Connections
16
Practical Bro
  • Automatic ACL injection has very low false
    positive rate
  • At NERSC average about 1 every 6 months
  • Reports generated whenever checkpointed
  • Results from blocks and odd events
  • Results from offline analyzer
  • Backdoors and KaZaa traffic
  • Takes some time to learn the traffic

17
What Do We See
  • Usual stuff
  • Lots and lots and lots and lots of scans
  • Slow scans, flash scans, nmap, nessus, ISS
  • Many worms and viruses
  • Code Red, Nimda, etc...
  • Lots of backscatter
  • Fun stuff and stuff we really shouldnt see
  • Broken TCP stacks
  • Private network traffic (192.168.0.0, etc)
  • Broken NATs
  • Odd user behaviour
  • Odd OS/application behaviour

18
Bro at SC03
  • Bro primary IDS for SC conference since SC00
  • Used to monitor SCinet traffic
  • Maximum observed bandwidth
  • 16.8Gbps at SC2002 (Bandwidth Challenge)
  • Used router hardware BPF
  • Passive monitoring only
  • Automatic countermeasures disabled

19
Bro at SC03
  • IDS for SCinet
  • Ensure conference network does not get taken down
    by attacks
  • Detect 0wned systems
  • Monitor for odd behavior
  • Educational tool for attendees
  • Password capture and display
  • Alert exhibitors to risky behavior
  • i.e. .rhosts with root enabled

20
SCinet Bro Infrastructure
21
Bro Future Directions
  • Grid related technologies
  • Ability to detect Grid related protocols
  • X.509 Certificate Analyzer
  • SSL Analyzer
  • Verify certificates are legitimate
  • Router Shunting
  • Primary bottleneck in moving packets into user
    space
  • Leverage router based hardware filtering to
    analyze packets of interest
  • Proof of concept demo at SC01-03
  • Utilizing Bro and Juniper router
  • Hardware based BPF to filter traffic

22
Port Mirroring
External Network
Mirrored Traffic
Juniper
GigE Interface
Bro
Internal Network
23
Filter-based Forwarding
External Network

Filtered Traffic

Bro
GigE Interface
Filter
Juniper
Internal Network
24
Contact Information
  • Stephen Lau
  • 1 Cyclotron Road, M/S 943
  • Berkeley, CA 94720
  • Phone 1 (510) 486-7178
  • Email slau_at_lbl.gov
  • PGP 44C8 C9CB C15E 2AE1 7B0A
  • 544E 9A04 AB2B F63F 748B
Write a Comment
User Comments (0)
About PowerShow.com