Bro - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Bro

Description:

Bro – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 20
Provided by: briant2
Category:
Tags: bro | cub

less

Transcript and Presenter's Notes

Title: Bro


1

An Overview of the Bro Intrusion Detection System
Brian L. Tierney, Vern Paxson
Lawrence Berkeley National Laboratory
2
Bros Use at LBL
  • Operational 24?7 since 1996
  • Monitors traffic for suspicious behavior or
    policy violations incoming/outgoing/internal
  • In conjunction with blocking routers, Bro acts as
    a dynamic and intelligent firewall
  • Blocks access from offending IP addresses
  • Blocks high risk ports
  • Blocks known high-risk activity
  • Terminates connections and/or sends alarms
  • Locates site policy violations (e.g. Kazaa and
    gnutella)

3
How Bro Works
  • Taps GigEther fiber link passively, sends up a
    copy of all network traffic.

Network
4
How Bro Works
Filtered Packet Stream
Tcpdump Filter
  • Kernel filters down high-volume stream via
    standard libpcap packet capture library.

libpcap
Packet Stream
Network
5
How Bro Works
Event Stream
Event Control
  • Event engine distills filtered stream into
    high-level, policy-neutral events reflecting
    underlying network activity
  • E.g. Connection-level
  • connection attempt
  • connection finished
  • E.g. Application-level
  • ftp request
  • http_reply
  • E.g. Activity-level
  • login success

Event Engine
Filtered Packet Stream
Tcpdump Filter
libpcap
Packet Stream
Network
6
How Bro Works
Real-time Notification Record To Disk
Policy Script
  • Policy script processes event stream,
    incorporates
  • Context from past events
  • Sites particular policies

Policy Script Interpreter
Event Stream
Event Control
Event Engine
Filtered Packet Stream
Tcpdump Filter
libpcap
Packet Stream
Network
7
How Bro Works
Real-time Notification Record To Disk
Policy Script
  • Policy script processes event stream,
    incorporates
  • Context from past events
  • Sites particular policies
  • and takes action
  • Records to disk
  • Generates alerts via syslog, email, paging, etc.
  • Executes programs as a form of response

Policy Script Interpreter
Event Stream
Event Control
Event Engine
Filtered Packet Stream
Tcpdump Filter
libpcap
Packet Stream
Network
8
Sample Bro Policy
  • Using the Bro language, sites can write custom
    policy scripts to generate alarms on any policy
    violation.
  • For example, if a site only allows external http
    and mail to a small, controlled lists of hosts,
    they could do this
  • const web_servers www.lbl.gov,
    www.bro-ids.org,
  • const mail_servers smtp.lbl.gov,
    smtp2.lbl.gov,
  • redef allow_services_to setaddr, port
  • mail_servers, smtp,
  • web_servers, http,
  • Bro can then generate an Alarm or even terminate
    the connection for policy violations
  • if ( service !in allow_services)
  • NOTICE(noteSensitiveConnection,
    connc,)
  • if ( inbound service in terminate_successful_i
    nbound_service )
  • terminate_connection(c)

9
How Bro is Unique
  • 5 years ago Bro was quite unique
  • Less so today
  • Many of Bros ideas now in other system
  • Some commercial IDS systems have adapted Bros
    policy based approach
  • E.g. Securify http//www.securify.com/
  • Snort now looking at connections, not just
    packets, and has improved performance to match
    Bro
  • BUT, No other system currently supports
    exchanging data across multiple IDS systems

10
Bro Communication
  • New Bro communication library
  • Multiple Bros can now communicate and exchange
    events
  • Currently being tested between LBL and NERSC
  • Comparing / correlating the following Bro Alarms
    across each site
  • AddressScan, PortScan, AddressDropped,
    SensitivePortmapperAccess, SensitiveConnection
  • Also testing syslog server that sends events to
    Bro
  • Bro policy is being used to analyze syslog logs
  • E.g. multiple ssh login failures,
  • kernel module load events (rootkit detection)
  • Working on modified sshd that sends data to Bro
    directly

11
Bro and LHC Computing Possibilities
  • Possible uses of Bro to protect the LHC Grid
    includes
  • Running communicating Bros across TIER 0 and 1
    centers, looking for coordinated attacks,
    outgoing DOS, large flows to unexpected places,
    etc.
  • Use Bro to verify operational policy
  • E.g. are GridFTPs between host A and B allowed?
  • Use Bro to verify firewall configuration

12
For more Information
  • Web site http//www.bro-ids.org/
  • Send email to bro_at_bro-ids.org

13
Extra Slides
14
Typical Approach Firewall with default deny
policy
  • A blocking router is a type of firewall
  • Blocks individual services (ports) inbound and
    possibly outbound
  • Blocks address ranges inbound and possibly
    outbound

Firewall (Blocking Router)
Router
Internet
15
LBNL approach IDS with Blocking Router
  • IDS controls a blocking router
  • IDS blocks dynamically when an intrusion attempt
    is detected or alerts upon suspicious activity
  • Router blocks statically like a firewall
  • Intrusion Prevention

Blocking Router
Internet
IDS
16
Styles of intrusion detection Signature-based
  • Core idea look for specific, known attacks.
  • Example (from Snort)
  • alert tcp EXTERNAL_NET any -gt HOME_NET 139
    flowto_server,established
  • content"eb2f 5feb 4a5e 89fb 893e 89f2"
  • msg"EXPLOIT x86 linux samba overflow"
  • referencebugtraq,1816
  • referencecve,CVE-1999-0811
  • classtypeattempted-admin
  • Most commercial system (e.g. ISS RealSecure) are
    Signature-based

17
Signature-based (cont)
  • Can be at different semantic layers, e.g. IP/TCP
    header fields packet payload URLs.
  • Pros
  • good attack libraries, easy to understand
    results.
  • Cons
  • unable to detect new attacks, or even just
    variants.

18
Styles of intrusion detection Anomaly-detection
  • Core idea attacks are peculiar.
  • Approach build/infer a profile of normal use,
    flag deviations.
  • Example user joe only logs in from host A,
    usually at night.
  • Note works best for narrowly-defined entities.
  • Pros
  • potentially detects wide range of attacks,
    including previously unknown types of attacks.
  • Cons
  • potentially misses wide range of attacks,
    including known.
  • can potentially be trained to accept attacks as
    normal.

19
Styles of detection Activity- (or
Specification-) based
  • Core idea inspect traffic and construct
    events, look for patterns of activity that
    deviate from a sites policy.
  • Example user joe is only allowed to log in from
    host A.
  • Note this is the primary approach used by Bro.
  • Pros
  • potentially detects wide range of attacks,
    including novel.
  • framework can accommodate signatures, anomalies.
  • Cons
  • policies/specifications require significant
    development maintenance. Harder to construct
    attack libraries.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Bro" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!