bro the network defense framework
play

Bro: The Network Defense Framework Comprehensive Visibility & - PowerPoint PPT Presentation

Apr 05, 2023 •22 likes •422 views

Bro: The Network Defense Framework Comprehensive Visibility & Defense for Every Corner of Your Network Robin Sommer International Computer Science Institute, & Broala, Inc. robin@icsi.berkeley.edu robin@broala.com

  1. Bro: The Network Defense Framework Comprehensive Visibility & Defense for Every Corner of Your Network Robin Sommer International Computer Science Institute, & Broala, Inc. robin@icsi.berkeley.edu robin@broala.com http://www.icir.org/robin

  2. Outline Architecture, deployment, history. Visibility, detection, customization. Scaling & enterprise deployment 2 Bro: The Network Defense Framework

  3. “What Is Bro?” Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro: The Network Defense Framework

  4. Typical Deployment Internet 1/10G Border gateway 1/10G Bro LAN 4 Bro: The Network Defense Framework

  5. Architecture Open-source BSD License Analysis Network Intrusion Vulnerability Traffic Compliance Traffic Control Visibility Detection Management Measurement Monitoring Programming Language Standard Library Platform Packet Processing Tap Network 5 Bro: The Network Defense Framework

  6. “Who’s Using It?” Installations across the Country BroCon 2015, MIT Universities & research Labs Most DOE National Labs Update Supercomputing centers Government organizations Fortune 20 enterprises Community 50/90/150/180 attendees at BroCon ’12/’13/’14/‘15 110 organizations at BroCon ‘15 Fully integrated into Security Onion 5,000 Twitter followers 1,000 mailing list subscribers Popular security-oriented Linux distribution 100 users average on IRC channel 1,400 stars on GitHub Direct downloads from 150 countries 6 Bro: The Network Defense Framework

  7. Bro History Host Context Academic Time Machine Enterprise Traffic Publications Summary Stats HILTI TRW 
 DPI Concurrency State Mgmt. PLC Modeling Bro Cluster 
 Independ. State Shunt NetControl Anonymizer 
 Parallel Prototype Input Framework VAST Active Mapping BinPAC Tor Traffic Backdoors Context Signat. DPD SSL Trust USENIX Paper Stepping Stones 2nd Path Autotuning Relationships 2015 2016 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 v2.4 Broker, v2.2 Plugins, Vern File Analysis v2.0 DTLS/KRB v0.7a90 v1.5 v0.2 v0.6 v0.8aX/0.9aX 
 writes Summary Stats User Experience v1.1/v1.2 Profiling BroControl 1st CHANGES RegExps SSL/SMB 1st line when Stmt State Mgmt entry Login analysis STABLE releases of code v2.1 v2.3 Resource tuning BroLite Bro SDCI IPv6 Performance Broccoli Input Framew. SNMP, DPD Radius, SSL++ v0.4 
 v0.7a175/0.8aX v1.4 v1.0 LBNL starts HTTP analysis Signatures DHCP/BitTorrent BinPAC using Bro Bro Center Scan detector SMTP HTTP entities IRC/RPC analyzers operationally IP fragments 
 IPv6 support NetFlow 64-bit support Linux support User manual Bro Lite Deprecated Sane version numbers v0.7a48 v1.3 0.8a37 Consistent Ctor expressions Communication GeoIP Persistence CHANGES Conn Compressor Namespaces Log Rotation 7 Bro: The Network Defense Framework

  8. “What Can It Do?” 
 Custom Visibility Alerts Logic “Network ground truth” 8 Bro: The Network Defense Framework

  9. Bro’s Log Files Rich, structured, real-time metadata streams for incident response & forensics. Network Metadata Raw Traffic Bro Enterprise Analytics (e.g., Splunk, Kafka, Hadoop) 9 Bro: The Network Defense Framework

  10. Connection Logs conn.log Timestamp ts 1393099415.790834 Unique ID CSoqsg12YRTsWjYbZc uid Originator IP 2004:b9e5:6596:9876:[…] id.orig_h Originator Port 59258 id.orig_p Responder IP 2b02:178:2fde:bff:[…] id.resp_h Responder Port 80 id.resp_p IP Protocol tcp proto App-layer Protocol http service Duration 2.105488 duration Bytes by Originator 416 orig_bytes Bytes by Responder 858 resp_bytes TCP state SF conn_state Local Originator? F local_orig Gaps 0 missed_bytes State History ShADafF history Outer Tunnel Connection tunnel_parents Cneap78AnVWoA1yml 10 Bro: The Network Defense Framework

  11. HTTP http.log ts 1393099291.589208 uid CKFUW73bIADw0r9pl id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 54352 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 80 method POST host com-services.pandonetworks.com uri /soapservices/services/SessionStart referrer - user_agent Mozilla/4.0 (Windows; U) Pando/2.6.0.8 status_code 200 username anonymous password - orig_mime_types application/xml resp_mime_types application/xml 11 Bro: The Network Defense Framework

  12. Understand Your Network (1) Top HTTP servers by IP addresses vs host headers. a198-189-255-200.deploy.akamaitechnolgies.com ad.doubleclick.net a198-189-255-216.deploy.akamaitechnolgies.com ad.yieldmanager.com a198-189-255-217.deploy.akamaitechnolgies.com b.scorecardresearch.com a198-189-255-230.deploy.akamaitechnolgies.com clients1.google.com a198-189-255-225.deploy.akamaitechnolgies.com googleads.g.doubleclick.net a198-189-255-206.deploy.akamaitechnolgies.com graphics8.nytimes.com a198-189-255-201.deploy.akamaitechnolgies.com l.yimg.com a198-189-255-223.deploy.akamaitechnolgies.com liveupdate.symantecliveupdate.com 72.21.91.19 mt0.google.com a198-189-255-208.deploy.akamaitechnolgies.com pixel.quantserve.com a198-189-255-207.deploy.akamaitechnolgies.com platform.twitter.com nuq04s07-in-f27.1e100.net profile.ak.fbcdn.net a184-28-157-55.deploy.akamaitechnologies.com s0.2mdn.net a198-189-255-224.deploy.akamaitechnolgies.com safebrowsing-cache.google.com a198-189-255-209.deploy.akamaitechnolgies.com static.ak.fbcdn.net a198-189-255-222.deploy.akamaitechnolgies.com swcdn.apple.com a198-189-255-214.deploy.akamaitechnolgies.com upload.wikimedia.org nuq04s06-in-f27.1e100.net www.facebook.com upload-lb.pmtpa.wikimedia.org www.google-analytics.com nuq04s08-in-f27.1e100.net www.google.com 12 Bro: The Network Defense Framework

  13. SSL ssl.log ts 1392805957.927087 uid CEA05l2D7k0BD9Dda2 id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 40475 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 443 version TLSv10 cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA server_name www.netflix.com CN=www.netflix.com,OU=Operations, subject O=Netflix, Inc.,L=Los Gatos, ST=CALIFORNIA,C=US CN=VeriSign Class 3 Secure Server CA, issuer_subject OU=VeriSign Trust Network,O=VeriSign, C=US not_valid_before 1389859200.000000 not_valid_after 1452931199.000000 client_subject - client_issuer_subject - cert_hash 197cab7c6c92a0b9ac5f37cfb0699268 validation_status ok 13 Bro: The Network Defense Framework

  14. Internal Protocols dhcp.log ts 1392796962.091566 uid Ci3RM24iF4vIYRGHc3 id.orig_h 10.129.5.11 id.resp_h 10.129.5.1 mac 04:12:38:65:fa:68 assigned_ip 10.129.5.11 lease_time 14400.000000 radius.log ts 1392796962.091566 uid Ci3RM24iF4vIYRGHc3 id.orig_h 10.129.5.11 id.resp_h 10.129.5.1 username foo@eduroam.mwn.de mac f0:34:57:91:11:cd remote_ip - result success 14 Bro: The Network Defense Framework

  15. Bro’s Protocol Analyzers AYIYA Ident Rlogin BitTorrent Kerberos Rsh DCE_RPC Login SIP DHCP Modbus SMTP DNP3 MySQL SNMP DNS NCP SOCKS DTLS NFS SSH FTP NTP SSL Finger NetBIOS Syslog GTPv1 PE Telnet Gnutella POP3 Teredo HTTP Portmapper X509 ICMP Radius ZIP IRC RDP 15 Bro: The Network Defense Framework

  16. Software software.log ts 1392796839.675867 host 10.209.100.2 host_p - software_type HTTP::BROWSER name DropboxDesktopClient version.major 2 version.minor 4 version.minor2 11 version.minor3 - version.addl Windows DropboxDesktopClient/2.4.11 unparsed_version (Windows; 8; i32; en_US; Trooper 5694-2047-1832-6291-8315) 16 Bro: The Network Defense Framework

  17. Understand Your Network (2) Top Software by Number of Hosts CaptiveNetworkSupport Firefox MSIE Safari DropboxDesktopClient ocspd GoogleUpdate Chrome Windows-Update-Agent Microsoft-CryptoAPI 17 Bro: The Network Defense Framework

  18. Files files.log ts 1392797643.447056 fuid FnungQ3TI19GahPJP2 tx_hosts 191.168.187.33 rx_hosts 10.1.29.110 conn_uids CbDgik2fjeKL5qzn55 source SMTP analyzers SHA1,MD5 mime_type application/x-dosexec filename Letter.exe duration 5.320822 local_orig T seen_bytes 39508 md5 93f7f5e7a2096927e06e[…]1085bfcfb sha1 daed94a5662a920041be[…]a433e501646ef6a03 18 Bro: The Network Defense Framework

  19. Understand Your Network (3) Top File Types application/octet-stream text/html text/plain application/xml application/x-shockwave-flash image/jpeg image/gif image/png 19 Bro: The Network Defense Framework

  20. Volume of Logs & Files Log entries on a typical weekday in May conn.log 203M dns.log 71M http.log 25M x509.log 5.4M files.log 33M Extracted files (*) 96K Lawrence Berkeley National Laboratory (*) Includes office docs, executables, PDFs. About 5,000 users & 15,000 hosts. 20 Bro: The Network Defense Framework

  21. Bro’s Log Files Rich, structured, real-time metadata streams for incident response & forensics. Network Metadata Raw Traffic Bro Enterprise Analytics (e.g., Splunk, Kafka, Hadoop) Common use cases: Forensics, hunting, profiling 21 Bro: The Network Defense Framework

  22. “What Can It Do?” 
 Custom Visibility Alerts Logic “Watch this!” “Network Ground Truth” Record & trigger actions 22 Bro: The Network Defense Framework

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Full Spectrum Computer Network (Active) Defense Black hat USA 2013 Agenda Disclaimer

Full Spectrum Computer Network (Active) Defense Black hat USA 2013 Agenda Disclaimer

Legal Aspects of Full Spectrum Computer Network (Active) Defense Black hat USA 2013 Agenda Disclaimer Errata Self Defense in Physical World Applying Self Defense to Computer Network Defense Technology Pen Testing/Red

1.17k views • 82 slides
On Using Symbiotic Relationship to Repel Network Flooding Defense

On Using Symbiotic Relationship to Repel Network Flooding Defense

On Using Symbiotic Relationship to Repel Network Flooding Defense draft-haddad-mipshop-netflood-defense-00 What is a Symbiotic Relationship (SR)? An SR is a unidirectional cryptographic relation between two nodes or between one

377 views • 6 slides
Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer Attacks Objectives After reading this chapter and completing the exercises , you will be able to: Describe the different types of malicious

84 views • 7 slides
The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

Chapter 4: The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network combines two types of domain knowledge to represent a joint probability distribution: qualitative knowledge: a (minimal) directed I-map

1.63k views • 134 slides
Computer Network Defense Simulators Advance Cyberspace Protection EADS North America Defense S3

Computer Network Defense Simulators Advance Cyberspace Protection EADS North America Defense S3

Computer Network Defense Simulators Advance Cyberspace Protection EADS North America Defense S3 Inc. 1476 N. Greenmount Rd. OFallon IL 62269 Phone: 618-632-9878 chet.ratcliffe@eads-na-security.com Chet Ratcliffe EVP / CTO EADS North

1.03k views • 44 slides
Proseminar Network Hacking and Defense Information Session Prof. Dr.-Ing. Georg Carle and

Proseminar Network Hacking and Defense Information Session Prof. Dr.-Ing. Georg Carle and

Chair of Network Architectures and Services Technical University of Munich Proseminar Network Hacking and Defense Information Session Prof. Dr.-Ing. Georg Carle and I8 research staff Organization: Dr. Holger Kinkelin, Stefan Liebald

542 views • 17 slides
Proseminar Network Hacking and Defense Information Session Prof. Dr.-Ing. Georg Carle and

Proseminar Network Hacking and Defense Information Session Prof. Dr.-Ing. Georg Carle and

Chair for Network Architectures and Services Technische Universit at M unchen Proseminar Network Hacking and Defense Information Session Prof. Dr.-Ing. Georg Carle and I8 research staff Organization: Dr. Holger Kinkelin, Nadine

315 views • 19 slides
Evaluating Network Security Using Internet-wide Measurements Oliver Gasser Ph. D. Defense, Friday

Evaluating Network Security Using Internet-wide Measurements Oliver Gasser Ph. D. Defense, Friday

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security Using Internet-wide Measurements Oliver Gasser Ph. D. Defense, Friday 24 th May, 2019 Chairman: Prof. Dr. Jrg

877 views • 55 slides
Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

410 views • 25 slides
Framework for G.709 Optical Transport Network (OTN) draft-ietf-ccamp-gmpls-g709-framework-05

Framework for G.709 Optical Transport Network (OTN) draft-ietf-ccamp-gmpls-g709-framework-05

Framework for G.709 Optical Transport Network (OTN) draft-ietf-ccamp-gmpls-g709-framework-05 CCAMP WG, IETF 82 nd Taipei Content of the drafts Informative overview of the OTN layer network Connection management in OTN GMPLS and PCE

580 views • 12 slides
A Comprehensive Framework for Testing Database-Centric Software Applications Gregory M.

A Comprehensive Framework for Testing Database-Centric Software Applications Gregory M.

A Comprehensive Framework for Testing Database-Centric Software Applications Gregory M. Kapfhammer Department of Computer Science University of Pittsburgh PhD Dissertation Defense April 19, 2007 PhD Dissertation Defense, University of

558 views • 39 slides
Big Data Platform Lessons Learned in Growing a Big Data Capability for Network Defense Who am I?

Big Data Platform Lessons Learned in Growing a Big Data Capability for Network Defense Who am I?

Big Data Platform Lessons Learned in Growing a Big Data Capability for Network Defense Who am I? - Technical Director, Enlighten IT Consulting, a MacAulay-Brown company - Software Engineering Consultant - Helped found Apache Rya - Chief

600 views • 17 slides
CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The

CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The

CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The Foundation of Network Security Stand-alone (ISP/Carrier Server Farm) modular TIPS for Perimeter Defense We brought a prototype for you!

263 views • 24 slides
Challenges of Implementing Fair Defense Act Requirements & Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements & Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements & Indigent Defense Grant Opportunities Effective Post-Arrest and Indigent Defense Practices Longview, TX August 10, 2018 Scott Ehlers, Special Counsel T exas Indigent Defense

676 views • 30 slides
A Conceptual Framework for Network Centric Warfare Workshop on Network Centric Warfare and

A Conceptual Framework for Network Centric Warfare Workshop on Network Centric Warfare and

OFT ASDC3I A Conceptual Framework for Network Centric Warfare Workshop on Network Centric Warfare and Network Enabled Capabilities December 17-19, 2002 Ongoing Research Sponsored by OFT and ASD(C3I) EBR RAND OFT ASDC3I Agenda

1.39k views • 107 slides
A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

379 views • 36 slides
Surveillance, Censorship, and Countermeasures Professor Ristenpart

Surveillance, Censorship, and Countermeasures Professor Ristenpart

Surveillance, Censorship, and Countermeasures Professor Ristenpart h/p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

791 views • 39 slides
Survey overview: Online survey in English, Spanish, Portuguese, Haitian Creole, French,

Survey overview: Online survey in English, Spanish, Portuguese, Haitian Creole, French,

Survey overview: Online survey in English, Spanish, Portuguese, Haitian Creole, French, simplified Chinese, Vietnamese + 9 other Asian languages. 433 respondents from across Mass., including 149 households with undocumented members.

371 views • 25 slides
tr s r

tr s r

r rr r rs r s ttsts r tr

406 views • 23 slides
The Writing Process: Creating Common Practices Teacher Institute, Friday May 3, 2013 Debra Polak

The Writing Process: Creating Common Practices Teacher Institute, Friday May 3, 2013 Debra Polak

The Writing Process: Creating Common Practices Teacher Institute, Friday May 3, 2013 Debra Polak and Jaime Cechin, English Faculty, Mendocino College Opener In pairs, discuss: If you are an English teacher, what do you hear about student

419 views • 12 slides
How will we know when machines can read? Matt Gardner , with many collaborators MRQA workshop,

How will we know when machines can read? Matt Gardner , with many collaborators MRQA workshop,

How will we know when machines can read? Matt Gardner , with many collaborators MRQA workshop, November 4, 2019 Look mom, I can read like a human! Look mom, I can read like a human! But... So whats the right evaluation? MRQA 2019 Building

677 views • 41 slides
LHC optical model and necessary corrections (aperture model, tune, -beat, coupling,

LHC optical model and necessary corrections (aperture model, tune, -beat, coupling,

LHC optical model and necessary corrections (aperture model, tune, -beat, coupling, chromaticity...) M. Aiba, C. Alabau, R. Calaga, J. Cardona, O. Dominguez, M. Giovannozzi, S. Fartoukh, V. Kain, M. Lamont, E. Mcintosh, R. Miyamoto, G.

490 views • 31 slides
A semi-analytic way of Simulating light Diego Garcia Gamez, Patrick Green, and Andrzej Szelc 1

A semi-analytic way of Simulating light Diego Garcia Gamez, Patrick Green, and Andrzej Szelc 1

A semi-analytic way of Simulating light Diego Garcia Gamez, Patrick Green, and Andrzej Szelc 1 Introduction Why we need a semi-analytic light simulation model (and why we need it now). How it works and performs. Timing Number

478 views • 44 slides
Stellar Population Modeling of High-z Galaxies and the sSFR Plateau at z ~ 4 7 Valentino

Stellar Population Modeling of High-z Galaxies and the sSFR Plateau at z ~ 4 7 Valentino

Stellar Population Modeling of High-z Galaxies and the sSFR Plateau at z ~ 4 7 Valentino Gonzlez Garth Illingworth, Rychard Bouwens, Ivo Labb, Pascal Oesch Spitzer /IRAC provides valuable constraints to estimate Age and Stellar Mass.

236 views • 20 slides

More recommend