Flexible, HighSpeed Intrusion Detection Using Bro - PowerPoint PPT Presentation

About This Presentation
Title:

Flexible, HighSpeed Intrusion Detection Using Bro

Description:

Modern science critically depends on diverse, high-performance Internet communication ... Operational 24x7: LBNL (border & internal), NERSC, UC Berkeley, TUM, NCSA ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 18
Provided by: denni171
Category:

less

Transcript and Presenter's Notes

Title: Flexible, HighSpeed Intrusion Detection Using Bro


1
Flexible, High-SpeedIntrusion Detection Using Bro
Vern Paxson Computational Research
Division Lawrence Berkeley National
Laboratory and ICSI Center for Internet
Research International Computer Science
Institute Berkeley, CA USA vern_at_icir.org http//
www-nrg.ee.lbl.gov/bro.html
2
Protect Rather Than Secure
  • Modern science critically depends on diverse,
    high-performance Internet communication
  • Increasingly difficult given rising security
    threats
  • Alternative institutional approach network
    intrusion detection
  • Monitor network traffic, look for attacks
  • Key point tenable due to threat model at open
    research institutes
  • Few jewels
  • Low level of compromises is tolerable
  • Particularly effective when combined with dynamic
    blocking (reactive firewall)
  • Potentially keeps Default Allow viable

3
Bro Design Goals (1990s)
  • Monitor traffic in a very high performance
    environment
  • Real-time detection and response
  • Separation of mechanism from policy
  • Ready extensibility of both mechanism and policy
  • Resistant to evasion

4
How Bro Works
  • Taps GigEther fiber link passively, sends up a
    copy of all network traffic.

Network
5
How Bro Works
Filtered Packet Stream
Tcpdump Filter
  • Kernel filters down high-volume stream via
    standard libpcap packet capture library.

libpcap
Packet Stream
Network
6
How Bro Works
Event Stream
Event Control
  • Event engine distills filtered stream into
    high-level, policy-neutral events reflecting
    underlying network activity
  • E.g., connection_attempt, http_reply,
    user_logged_in

Event Engine
Filtered Packet Stream
Tcpdump Filter
libpcap
Packet Stream
Network
7
How Bro Works
Real-time Notification Record To Disk
Policy Script
  • Policy script processes event stream,
    incorporates
  • Context from past events
  • Sites particular policies

Policy Script Interpreter
Event Stream
Event Control
Event Engine
Filtered Packet Stream
Tcpdump Filter
libpcap
Packet Stream
Network
8
How Bro Works
Real-time Notification Record To Disk
Policy Script
  • Policy script processes event stream,
    incorporates
  • Context from past events
  • Sites particular policies
  • and takes action
  • Records to disk
  • Generates alerts via syslog, paging
  • Executes programs as a form of response
  • Sends events to other Bros

Policy Script Interpreter
Event Stream
Event Control
Event Engine
Filtered Packet Stream
Tcpdump Filter
libpcap
Packet Stream
Network
9
Signature Engine
  • Bro also includes a signature engine for matching
    specific patterns in packet streams
  • Conceptually simple
  • Easy to share
  • Compatible with Snort (widely used freeware IDS)
  • E.g., can run on Snorts default set of 1,900
    signatures
  • but of limited power basically, a useful hack
  • As with other Bro analysis, signature matches
    generate events amenable to high-level policy
    script processing, rather than direct alerts

10
Status
  • Operational 24x7 LBNL (border internal),
    NERSC, UC Berkeley, TUM, NCSA
  • Runs on commodity Unix PCs but getting hard!
  • 80K lines C, 12K lines of policy scripts, 200
    page user manual
  • Main LBNL Bro blocks 50-500 remote addresses/day,
    mostly for scanning
  • Provides extensive logs, invaluable for forensics
    site traffic analysis

11
RD Support
  • Funded variously via overhead, operations,
    research grants
  • Current research support
  • NSF Strategic Technologies for the Internet
  • Likely DOE support soon for developing as a
    potential community resource ...
  • Pending RD proposal to DOE for very high-speed
    monitoring

12
RD Support
  • Funded variously via overhead, operations,
    research grants
  • Current research support
  • NSF Strategic Technologies for the Internet
  • Likely DOE support soon for developing as a
    potential community resource ...
  • Pending RD proposal to DOE for very high-speed
    monitoring

13
Making Bro Broadly Available
  • Broader documentation setup, operational
    procedures, analysis techniques, FAQ
  • Tutorials (already have in-house)
  • Bug-tracking system
  • Test suites
  • Production vs. research code trees
  • Framework for integrating contributions
  • GUIs for configuration, log analysis
  • Framework for rapid dissemination of new
    scripts/policies/signatures

14
RD Support
  • Funded variously via overhead, operations,
    research grants
  • Current research support
  • NSF Strategic Technologies for the Internet
  • Likely DOE support soon for developing as a
    potential community resource ...
  • Pending RD proposal to DOE for very high-speed
    (10-40 Gbps) monitoring

15
Prefiltering (Prototyped at SC02, SC03)
16
Shunting
17
Discussion/Questions?
  • http//www-nrg.ee.lbl.gov/bro.html
  • vern_at_icir.org
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Flexible, HighSpeed Intrusion Detection Using Bro" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!