bro 2 0 and beyond
play

Bro 2.0 and Beyond Network Attack Detection and Defense Early - PowerPoint PPT Presentation

Aug 29, 2022 •111 likes •742 views

The Bro Network Security Monitor Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl, 2012 Dagstuhl 2012 2 Outline Bro Introduction Much different from the typical IDS you may know Hot off

  1. The Bro Network Security Monitor Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl, 2012 Dagstuhl 2012

  2. 2

  3. Outline Bro Introduction “Much different from the typical IDS you may know” Hot off the Press: Bro 2.0 Focus on operational deployment Current Research Projects Real-time Intelligence Performance for next-gen environments 3 Dagstuhl 2012

  4. What is Bro? 4 Dagstuhl 2012

  5. What is Bro? Packet Capture 4 Dagstuhl 2012

  6. What is Bro? Packet Capture Traffic Inspection 4 Dagstuhl 2012

  7. What is Bro? Packet Capture Traffic Inspection Attack Detection 4 Dagstuhl 2012

  8. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog 4 Dagstuhl 2012

  9. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 4 Dagstuhl 2012

  10. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 4 Dagstuhl 2012

  11. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 4 Dagstuhl 2012

  12. What is Bro? Packet Capture Traffic Inspection Attack Detection “Domain-specific Python” NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 4 Dagstuhl 2012

  13. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Can accommodate a range of detection approaches. Policy-neutral at the core. Highly stateful. Tracks extensive application-layer network state. Supports forensics. Extensively logs what it sees. 5 Dagstuhl 2012

  14. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code 6 Dagstuhl 2012

  15. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code LBNL starts using Bro operationally 6 Dagstuhl 2012

  16. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Dagstuhl 2012

  17. Bro History Host Context Academic Time Machine Enterprise Traffic Publications TRW State Mgmt. Bro Cluster Independ. State Shunt Parallel Prototype Anonymizer BinPAC Stepping Stone Active Mapping DPD USENIX Paper Detector Context Signat. 2nd Path Autotuning 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Dagstuhl 2012

  18. “Who’s Using It?” 7 Dagstuhl 2012

  19. Example Logs 8 Dagstuhl 2012

  20. Example Logs > bro -i en0 [ ... wait ...] > cat conn.log 8 Dagstuhl 2012

  21. Example Logs > bro -i en0 [ ... wait ...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration 1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663 8 Dagstuhl 2012

  22. Example Logs > bro -i en0 [ ... wait ...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration 1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663 > cat http.log 8 Dagstuhl 2012

  23. Example Logs > bro -i en0 [ ... wait ...] > cat conn.log #fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration 1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663 > cat http.log #fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...] 1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.0 1144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0 8 Dagstuhl 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Motivation Motivation 2 Typical e-commerce sites are complex, consisting of hundreds of

Motivation Motivation 2 Typical e-commerce sites are complex, consisting of hundreds of

A METHOD FOR A METHOD FOR EVALUATING THE IMPACT OF SOFTWARE CONFIGURATION PARAMETERS ON E PARAMETERS ON E- COMMERCE SITES Monchai Sopitkamol Daniel A. Menasc George Mason University Kasetsart University Dept. of Computer Science, MS 4A5

360 views • 21 slides
Knock Knock Understanding Who is Using Your Web Applications Aaron Bedra Application Security

Knock Knock Understanding Who is Using Your Web Applications Aaron Bedra Application Security

Knock Knock Understanding Who is Using Your Web Applications Aaron Bedra Application Security Lead Braintree Payments Tuesday, April 23, 13 Right now, your web applications are being attacked Tuesday, April 23, 13 And it will happen

1.96k views • 141 slides
Performance Tuning best pracitces and performance monitoring with Zabbix Andrew Nelson Senior

Performance Tuning best pracitces and performance monitoring with Zabbix Andrew Nelson Senior

Performance Tuning best pracitces and performance monitoring with Zabbix Andrew Nelson Senior Linux Consultant May 28, 2015 NLUUG Conf, Utrecht, Netherlands Overview Introduction Performance tuning is Science! A little Law and

595 views • 47 slides
SEDA: An Architecture for Well-Conditioned, Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned, Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned, Scalable Internet Services Matt Welsh, David Culler, and Eric Brewer Computer Science Division University of California, Berkeley Symposium on Operating Systems Principles (SOSP), October 2001

466 views • 24 slides
A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent

A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent

A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent operators A convergent operator assures a specific network state and is idempotent if that state exists already. Example 1: set a parameter to a

707 views • 21 slides
CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science

CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science

CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science University of Calgary Fall 2017 Agenda Welcome! Course Overview Learning Outcomes Administrative Details Expectations Q&A

559 views • 21 slides
KLone An SDK for Embedded Web Applications Steven Dorigotti KoanLogic (http://koanlogic.com)

KLone An SDK for Embedded Web Applications Steven Dorigotti KoanLogic (http://koanlogic.com)

KLone An SDK for Embedded Web Applications Steven Dorigotti KoanLogic (http://koanlogic.com) August 11, 2006 Outline KLone Development Applications Wrap-Up KLone What is it? Use Cases Features Libraries Workings Development

1.16k views • 92 slides
On the Effectiveness of Kernel Debloating via Compile-time Configuration Mansour Alharthi, Hong

On the Effectiveness of Kernel Debloating via Compile-time Configuration Mansour Alharthi, Hong

On the Effectiveness of Kernel Debloating via Compile-time Configuration Mansour Alharthi, Hong Hu, Hyungon Moon, Taesoo Kim The problem of bloated software High complexity: more vulnerabilities Unused interfaces: an attacker can use

720 views • 25 slides
Amortised Optimisation as a Means to Achieve Genetic Improvement Hyeongjun Cho, Sungwon Cho,

Amortised Optimisation as a Means to Achieve Genetic Improvement Hyeongjun Cho, Sungwon Cho,

Amortised Optimisation as a Means to Achieve Genetic Improvement Hyeongjun Cho, Sungwon Cho, Seongmin Lee, Jeongju Sohn, and Shin Yoo Date 2017.01.30, The 50th CREST Open Workshop Offline Improvement Expensive Fig. 1. GP improvement of MiniSAT.

391 views • 28 slides
Accessing and Manipulating Ontologies using Web Services Olivier Dameron, Natalya F. Noy, Holger

Accessing and Manipulating Ontologies using Web Services Olivier Dameron, Natalya F. Noy, Holger

Accessing and Manipulating Ontologies using Web Services Olivier Dameron, Natalya F. Noy, Holger Knublauch, Mark A. Musen SMI - Stanford University Semantic Web Services Workshop - ISWC 2004 Context Semantic Web Ontology scope Web Services

540 views • 20 slides
Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code

Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code

Chair of Softw are Engineering C# Programming in Depth Prof. Dr. Bertrand Meyer March 2007 May 2007 Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code hosted by a web server that can be accessed

528 views • 27 slides
Web Services with ASP .NET Asst. Prof. Dr. Kanda Saikaew (krunapon@kku.ac.th) Department of

Web Services with ASP .NET Asst. Prof. Dr. Kanda Saikaew (krunapon@kku.ac.th) Department of

Web Services with ASP .NET Asst. Prof. Dr. Kanda Saikaew (krunapon@kku.ac.th) Department of Computer Engineering Khon Kaen University 1 Agenda Introduction to Programming Web Services in Managed Code Programming the Web with Web

1.02k views • 34 slides
The Web Service Modeling Language WSML An Overview Jos de Bruijn 1 , Holger Lausen 1 , Axel

The Web Service Modeling Language WSML An Overview Jos de Bruijn 1 , Holger Lausen 1 , Axel

The Web Service Modeling Language WSML The Web Service Modeling Language WSML An Overview Jos de Bruijn 1 , Holger Lausen 1 , Axel Polleres 1 , 2 and Dieter Fensel 1 1 Digital Enterprise Research Institute (DERI) {

1.13k views • 75 slides
Web Services and Student Events Web Services and Student Events Vernon (Vern) Huber Asst.

Web Services and Student Events Web Services and Student Events Vernon (Vern) Huber Asst.

Web Services and Student Events Web Services and Student Events Vernon (Vern) Huber Asst. Dir. Application Development and DB Support (ADDS) University of Illinois at Springfield Student Events - CollegiateLinks UIS Connection licensed

498 views • 22 slides
Mobile Interaction with Web Services through Associated Real World Objects Demo @ MobileHCI,

Mobile Interaction with Web Services through Associated Real World Objects Demo @ MobileHCI,

Mobile Interaction with Web Services through Associated Real World Objects Demo @ MobileHCI, 2007, Singapore Gregor Broll 1 , John Hamard 3 , Massimo Paolucci 3 , Markus Haarlnder 1 , Matthias Wagner 3 , Sven Siorpaes 1 , Enrico Rukzio 2 ,

242 views • 5 slides
Unraveling the Web Services An Introduc7on to SOAP,

Unraveling the Web Services An Introduc7on to SOAP,

Unraveling the Web Services An Introduc7on to SOAP, WSDL and UDDI Sri Harsha Bolise? Overview Web Services SOAP WSDL UDDI

380 views • 15 slides
Model-based Methods for Linking Web Service Choreography and Orchestration Jun Sun, Yang Liu,

Model-based Methods for Linking Web Service Choreography and Orchestration Jun Sun, Yang Liu,

Model-based Methods for Linking Web Service Choreography and Orchestration Jun Sun, Yang Liu, Jin Song Dongy, Geguang Pu and Tian Huat Tan Outline PAT Introduction and Demo Overview of Web Services (WS) T wo views of WS

528 views • 17 slides
1 Why bother? Google APIs

1 Why bother? Google APIs

Administrivia !""#

542 views • 5 slides
Managing Web Service Quality James Skene, Franco Raimondi and Wolfgang Emmerich London Software

Managing Web Service Quality James Skene, Franco Raimondi and Wolfgang Emmerich London Software

Managing Web Service Quality James Skene, Franco Raimondi and Wolfgang Emmerich London Software Systems Dept. of Computer Science University College London http://sse.cs.ucl.ac.uk Setting the scene Deutsche Bank AG has agreed to

414 views • 13 slides
The Budget Outlook for 2018 to 2028 in 11 Slides April 2018 For more details, see

The Budget Outlook for 2018 to 2028 in 11 Slides April 2018 For more details, see

CONGRESSIONAL BUDGET OFFICE The Budget Outlook for 2018 to 2028 in 11 Slides April 2018 For more details, see www.cbo.gov/publication/53651. CBO Deficits as a percentage of gross domestic product are projected to increase over the next few

477 views • 13 slides
WELCOME New Faculty! Orientation Guide These materials are intended to orient new faculty to the

WELCOME New Faculty! Orientation Guide These materials are intended to orient new faculty to the

WELCOME New Faculty! Orientation Guide These materials are intended to orient new faculty to the University of North Carolina School of Medicine and provide resources for additional information. Topics covered in this slide deck include:

681 views • 11 slides
Effective Ways to Building Strategies Promote Split Refunds Southern Bancorp Community Partners

Effective Ways to Building Strategies Promote Split Refunds Southern Bancorp Community Partners

Commonwealth Mariele McGlazer Virtual Training Series Innovation Manager Granite United Way Cary Gladstone Senior Director of Asset Effective Ways to Building Strategies Promote Split Refunds Southern Bancorp Community Partners Mindy

823 views • 32 slides
Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK Formal Methods Meets JavaScript, VeTSS Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 1 / 21 The webs evolution We want richer web

521 views • 21 slides
CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) CS 5460: Operating

CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) CS 5460: Operating

CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) CS 5460: Operating Systems Lecture 2 Course web page: http://www.eng.utah.edu/~cs5460/ CADE lab: WEB L224 and L226 http://www.cade.utah.edu/

503 views • 18 slides

More recommend