Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.

Published byLoren McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli."— Presentation transcript:

1 Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli

2 Overview   What is an IDS?   Introduction to Bro   Background & Related work   How it works   The Bro language   Design Decisions   Attacks on the monitor   Experience & Future Improvement

3 What is an IDS?   Intrusion Detection System or Network Intrusion detection System   Real-time monitoring o o Detect attacks as they happen   Provide valuable information about: o o Successful attacks o o Attack attempts   Passive: monitors and reports   Active (IPS): employs additional measures to stop attack   Good place to put: Perimeter network (DMZ)

4 Introduction to Bro   An open source IDS that passively monitors network traffic and analyzes it in real time by using deep packet inspection techniques o o Inspects the data portion of packets for certain patterns   Goals: o o High speed, large volume monitoring o o Real-time notifications o o Separate mechanism and policy o o Extensibility o o No packet drops o o Protect itself against most attacks

5 Background & Related Work   Commercial IDS that do the same   Related work: o o Earlier version of this paper o o Paper from Ptacek and Newsham that focuses on attack methods o o No background literature for how monitors (IDS) are built   This paper described how it is designed and categorizes attacks against monitors in a different way

6 How it works   Captures network traffic using libpcap   Filters relevant network traffic at kernel level to reduce load o o Applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogin o o IP fragments o o TCP packets with SYN,FIN, or RST control bits set(connection information such as time, duration, hosts, ports..)   Has an “event-engine”: o o Does Integrity checks, reassembles IP datagrams, processes UDP\TCP, creates a state for each connection, generates events   And a “policy script interpreter”: o o Interprets policy scripts (event handlers) o o Event queue processed according to policy scripts o o Policies written in Bro language

7 How it works Packet processing is done layer by layer, starting from the network to the policy script interpreter If integrity checks at event engine fail a new event is generated and the packets are dropped Policy scripts interpreter generates every event until queue is empty or timer expired Notification is done by including generating new events, logging real- time notifications using syslog, recording data to disk…

8 The Bro Language   Data types: o o bool, int, count (unsigned int), double, string, time, interval, port, addr, record, set, table, file, list, patterns o o Patterns are regular expressions used for matching o o Operators: C-like, in, !in   Examples: filename in /rootkit-1\.[5-8]/ const allowed_services: set[addr, port] = { [ftp.lbl.gov, [ftp, smtp, ident, 20/tcp]], [nntp.lbl.gov, nntp]}; if ( [ftp.lbl.gov, ftp] in allowed_services )... it's okay...

9 Design Decisions   Built in C++   Single threaded   To avoid race conditions and blocks when waiting for resources (such as DNS lookups)   Uses “calendar queues” to manage thousands timers, insert and delete operations completed at O (1) time   Implemented their own regular-expression matching library   Higher performance   Offers more advanced pattern matching   Policy scripts are interpreted   Causes considerable overhead

10 Attacks on the monitor   Overload o o Send a lot of packets that will be filtered, generate events, or lead to logging\recording to disk so that it fails to keep up with the network traffic it has to process, and then then attempt a network intrusion without being detected o o Mitigated with better hardware, and confidentiality of policy scripts (knowing which events require more work requires knowledge of scripts)   Crash o o Make it run out of resources through vulnerabilities in source code or generating a large amount of traffic that creates many states, and then proceeds with the intrusion. o o Bro checks if the engine is jammed, terminates the Bro process while logging reason and failure data, and executes a copy of tcpdump.

11 Attacks on the monitor   Subterfuge   Hides the meaning of the traffic the monitor analyzes.   Can never be detected if successful.   Bro employs a lot of countermeasures against the most common of these attacks.   Scan detection   Detect port and address scans by keeping track of newly-attempted connections to distinct network addresses or ports.

12 Experience & Future Improvement Experience from 3 years: o o 85 MB daily connection summaries, 40 real-time notifications o o Many false positives o o Detects 4–5 address and port scans each day. o o 150 incident reports filed o o “split routing” is a problem. Future improvements: o o Support for additional application protocols o o Compiling Bro scripts o o Distributing monitoring across multiple hosts in the network o o Intrusion prevention abilities.

13 The future… Bro 2.0 just released base/frameworks/cluster base/frameworks/communication base/frameworks/control base/frameworks/dpd base/frameworks/intel base/frameworks/logging base/frameworks/logging/postprocessors base/frameworks/metrics base/frameworks/notice base/frameworks/packet-filter base/frameworks/reporter base/frameworks/signatures base/frameworks/software base/protocols/conn base/protocols/dns base/protocols/ftp base/protocols/http base/protocols/irc base/protocols/smtp base/protocols/ssh base/protocols/ssl base/protocols/syslog Policy/integration/barnyard2 policy/tuning/defaults policy/tuning

14 Thank you!

Download ppt "Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing.

Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google