Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop - - PowerPoint PPT Presentation

broadmap
SMART_READER_LITE
LIVE PREVIEW

Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop - - PowerPoint PPT Presentation

Sep 27, 2022 50 likes •620 views

The Bro Network Security Monitor Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to Medium-term Roadmap Current Research Projects Workshop Wrap-Up 2 Bro Workshop 2011 Version 2.0 Final 3 Bro

slide-1
SLIDE 1

Bro Workshop 2011

Bro Workshop 2011 NCSA, Urbana-Champaign, IL

Broadmap

The Bro Network Security Monitor

slide-2
SLIDE 2

Bro Workshop 2011

Outline

2

Near- to Medium-term Roadmap Current Research Projects Workshop Wrap-Up

slide-3
SLIDE 3

Bro Workshop 2011

Version 2.0 Final

3

slide-4
SLIDE 4

Bro Workshop 2011

Version 2.0 Final

3

Timeline: Early December.

Default scripts rewritten from scratch. New logging system. New build and packaging system. New auto-documentation system (Broxygen). Lots of bugs fixed. Obsolete code removed. New development infrastructure. New regression testing framework. New web server. New mailing lists. New logo.

slide-5
SLIDE 5

Bro Workshop 2011

Upcoming

4

slide-6
SLIDE 6

Bro Workshop 2011

Upcoming

Bro 2.1

New user’s guide. Overhauled IPv6 support. Logging extensions.

Binary logging/Postgresql/CouchDB/SQLite(?) / Threads.

Integration with REN-ISACs CIF. Reaction framework. New/improved analyzers.

Syslog/GridFTP/NFS/SMB/BitTorrent.

Extended test-suite.

4

Aiming for 3-4 months release cycle.

slide-7
SLIDE 7

Bro Workshop 2011

In Planning

5

slide-8
SLIDE 8

Bro Workshop 2011

In Planning

Comprehensive Bro Archive Network (CBAN)

Easy installation of 3rd party scripts.

5

slide-9
SLIDE 9

Bro Workshop 2011

In Planning

Comprehensive Bro Archive Network (CBAN)

Easy installation of 3rd party scripts.

File Analyzer

Protocol-independent file hashing, extraction, decompression, analysis, and reassembly.

5

slide-10
SLIDE 10

Bro Workshop 2011

In Planning

Comprehensive Bro Archive Network (CBAN)

Easy installation of 3rd party scripts.

File Analyzer

Protocol-independent file hashing, extraction, decompression, analysis, and reassembly.

Input Framework.

Real-time interface to external intelligence.

5

slide-11
SLIDE 11

Bro Workshop 2011

In Planning

6

slide-12
SLIDE 12

Bro Workshop 2011

In Planning

Deep Cluster

Pushing Bro deep into your network.

6

slide-13
SLIDE 13

Bro Workshop 2011

In Planning

Deep Cluster

Pushing Bro deep into your network.

Unified packet acquisition and control.

Plugin-based interface to platform capabilities.

6

slide-14
SLIDE 14

Bro Workshop 2011

In Planning

Deep Cluster

Pushing Bro deep into your network.

Unified packet acquisition and control.

Plugin-based interface to platform capabilities.

New/extended protocol analyzers.

Ongoing focus. Working on BinPAC++.

6

slide-15
SLIDE 15

Bro Workshop 2011

In Planning

Deep Cluster

Pushing Bro deep into your network.

Unified packet acquisition and control.

Plugin-based interface to platform capabilities.

New/extended protocol analyzers.

Ongoing focus. Working on BinPAC++.

Internal reorganization and cleanup.

Move to a more modular structure.

6

slide-16
SLIDE 16

Bro Workshop 2011

Current Research Projects

7

slide-17
SLIDE 17

Bro Workshop 2011

Next Stop: 100 Gb/s

8

Source: ESNet

Now these sites need a monitoring solution ... Working with cPacket on a 100GE load- balancer!

Source: ESNet

DOE/ESNet 100G Advanced Networking Initiative

slide-18
SLIDE 18

Bro Workshop 2011

100 Gb/s Load-balancer

slide-19
SLIDE 19

Bro Workshop 2011

100 Gb/s Load-balancer

slide-20
SLIDE 20

Bro Workshop 2011

SBIR Phase 2 to build prototype.

100 Gb/s Load-balancer

slide-21
SLIDE 21

Bro Workshop 2011

SBIR Phase 2 to build prototype.

100 Gb/s Load-balancer

slide-22
SLIDE 22

Bro Workshop 2011

SBIR Phase 2 to build prototype.

100 Gb/s Load-balancer

100Gbps

cFlow 100G

slide-23
SLIDE 23

Bro Workshop 2011

SBIR Phase 2 to build prototype.

100 Gb/s Load-balancer

100Gbps

cFlow 100G

10Gb/s

slide-24
SLIDE 24

Bro Workshop 2011

SBIR Phase 2 to build prototype.

100 Gb/s Load-balancer

100Gbps

cFlow 100G

10Gb/s

Bro Cluster

slide-25
SLIDE 25

Bro Workshop 2011

SBIR Phase 2 to build prototype.

100 Gb/s Load-balancer

100Gbps

cFlow 100G

10Gb/s

Bro Cluster

API

Control

slide-26
SLIDE 26

Bro Workshop 2011

Concurrent Analysis

10

slide-27
SLIDE 27

Bro Workshop 2011

Concurrent Analysis

Bro is still single-threaded.

Cluster leverages advanced packet-level capabilities to exploit multi-core systems.

10

slide-28
SLIDE 28

Bro Workshop 2011

Concurrent Analysis

Bro is still single-threaded.

Cluster leverages advanced packet-level capabilities to exploit multi-core systems.

Eventually, we want multi-threading.

Scaling with number of cores. Transparent to the operator.

10

slide-29
SLIDE 29

Bro Workshop 2011

Concurrent Analysis

Bro is still single-threaded.

Cluster leverages advanced packet-level capabilities to exploit multi-core systems.

Eventually, we want multi-threading.

Scaling with number of cores. Transparent to the operator.

For some IDS, that’s not so hard.

For others, it is ...

10

slide-30
SLIDE 30

Bro Workshop 2011

Network

Event Engine

Protocol Decoding

Policy Script Interpreter

Analysis Logic

Logs Events Packets Notification 11

Architecture

slide-31
SLIDE 31

Bro Workshop 2011

Single Thread

Network

Event Engine

Protocol Decoding

Policy Script Interpreter

Analysis Logic

Logs Events Packets Notification 11

Architecture

slide-32
SLIDE 32

Bro Workshop 2011

Event Engine

Architecture

12

Network

Packets Events Notification

Script Threads

Scripting Language

Event Engine Threads

Packet Analysis Detection Logic

Dispatcher

Packet Dispatcher (NIC)

slide-33
SLIDE 33

Bro Workshop 2011

Event Engine

Architecture

12

Network

Packets Events Notification

Script Threads

Scripting Language

Event Engine Threads

“Cluster in a Box” Packet Analysis Detection Logic

Dispatcher

Packet Dispatcher (NIC)

slide-34
SLIDE 34

Bro Workshop 2011

Event Engine

Architecture

12

Network

Packets Events Notification

Script Threads

Scripting Language

Event Engine Threads

“Cluster in a Box” Packet Analysis Detection Logic

Dispatcher

Packet Dispatcher (NIC) How to parallelize a scripting language?

slide-35
SLIDE 35

Bro Workshop 2011

HILTI Abstract Machine

13

A High-Level Intermediary Language for Traffic Inspection

slide-36
SLIDE 36

Bro Workshop 2011

HILTI Abstract Machine

13

First-class networking types built-in Containers with state management support Platform for building high-level, reusable functionality on Domain-specific concurrency model Well-defined, contained execution environment

Domain-specific Data Types Robust/Secure Execution Concurrent Analysis High-level Standard Components State Management

Timers can drive execution

Real-time Performance

Support for incremental processing Extensive

  • ptimization

potential Scalability through parallelization Static type-system, and robust error handling Compilation to native code

A High-Level Intermediary Language for Traffic Inspection

slide-37
SLIDE 37

Bro Workshop 2011

HILTI Abstract Machine

13

First-class networking types built-in Containers with state management support Platform for building high-level, reusable functionality on Domain-specific concurrency model Well-defined, contained execution environment

Domain-specific Data Types Robust/Secure Execution Concurrent Analysis High-level Standard Components State Management

Timers can drive execution

Real-time Performance

Support for incremental processing Extensive

  • ptimization

potential Scalability through parallelization Static type-system, and robust error handling Compilation to native code

A High-Level Intermediary Language for Traffic Inspection

slide-38
SLIDE 38

Bro Workshop 2011

Workshop Wrap Up

14

Thanks for coming to the Bro Workshop 2011!

slide-39
SLIDE 39

Bro Workshop 2011

Workshop Wrap Up

14

Thanks for coming to the Bro Workshop 2011! Thanks to NSF for subsidizing workshop attendance.

slide-40
SLIDE 40

Bro Workshop 2011

Building a Community

15

http://www.bro-ids.org

slide-41
SLIDE 41

Bro Workshop 2011

Building a Community

Our goal is to build a larger “Bro Community”.

Users: Exchange of experiences and functionality. Developers: External contributions will be crucial.

15

http://www.bro-ids.org

slide-42
SLIDE 42

Bro Workshop 2011

Building a Community

Our goal is to build a larger “Bro Community”.

Users: Exchange of experiences and functionality. Developers: External contributions will be crucial.

New community resources.

Mailing lists / Blog / Twitter / IRC. Contributed scripts repository.

15

http://www.bro-ids.org

slide-43
SLIDE 43

Bro Workshop 2011

Building a Community

Our goal is to build a larger “Bro Community”.

Users: Exchange of experiences and functionality. Developers: External contributions will be crucial.

New community resources.

Mailing lists / Blog / Twitter / IRC. Contributed scripts repository.

Open development model.

All code in public git repositories. Extensive use of issue tracker.

15

http://www.bro-ids.org

slide-44
SLIDE 44

Bro Workshop 2011

Helping the Bro Project

16

slide-45
SLIDE 45

Bro Workshop 2011

Helping the Bro Project

Tell us!

16

slide-46
SLIDE 46

Bro Workshop 2011

Helping the Bro Project

Tell us! Tell others!

16

slide-47
SLIDE 47

Bro Workshop 2011

Helping the Bro Project

Tell us! Tell others! Help others!

16

slide-48
SLIDE 48

Bro Workshop 2011

Helping the Bro Project

Tell us! Tell others! Help others! Contribute!

16

slide-49
SLIDE 49

Bro Workshop 2011

Shameless Plug

17

slide-50
SLIDE 50

Bro Workshop 2011

Shameless Plug

All of the Bro 2.0 work was only possible with the support from National Science Foundation.

17

slide-51
SLIDE 51

Bro Workshop 2011

Shameless Plug

All of the Bro 2.0 work was only possible with the support from National Science Foundation. We can continue with that for a bit, but only for so long. And we have many more ideas anyway.

17

slide-52
SLIDE 52

Bro Workshop 2011

Shameless Plug

All of the Bro 2.0 work was only possible with the support from National Science Foundation. We can continue with that for a bit, but only for so long. And we have many more ideas anyway. We are looking for more funding to keep the team together, and potentially expand it further.

17

slide-53
SLIDE 53

Bro Workshop 2011

Shameless Plug

All of the Bro 2.0 work was only possible with the support from National Science Foundation. We can continue with that for a bit, but only for so long. And we have many more ideas anyway. We are looking for more funding to keep the team together, and potentially expand it further. Any ideas? Let us know.

17

slide-54
SLIDE 54

Bro Workshop 2011

18

Thanks for Coming!

slide-55
SLIDE 55

Bro Workshop 2011

18

Thanks for Coming!

Homepage

www.bro-ids.org

Twitter

@BRO_IDS

Contact

info@bro-ids.org User mailing list

Development

git.bro-ids.org Developer’s mailing list Commit notification list Vern Paxson Gregor Maier Jim Barlow Jonathan Siwek Gilbert Clark Adam Slagell Seth Hall Robin Sommer Christian Kreibich Daniel Thayer Hui Lin Matthias Vallentin

slide-56
SLIDE 56

Bro Workshop 2011

18

Thanks for Coming!

Please fill out our survey.

Homepage

www.bro-ids.org

Twitter

@BRO_IDS

Contact

info@bro-ids.org User mailing list

Development

git.bro-ids.org Developer’s mailing list Commit notification list Vern Paxson Gregor Maier Jim Barlow Jonathan Siwek Gilbert Clark Adam Slagell Seth Hall Robin Sommer Christian Kreibich Daniel Thayer Hui Lin Matthias Vallentin

slide-57
SLIDE 57

Bro Workshop 2011

18

Thanks for Coming!

Please fill out our survey.

Homepage

www.bro-ids.org

Twitter

@BRO_IDS

Contact

info@bro-ids.org User mailing list

Development

git.bro-ids.org Developer’s mailing list Commit notification list

B r

  • T

u t

  • r

i a l a t A C S A C 2 1 1

One day version of this workshop.

Vern Paxson Gregor Maier Jim Barlow Jonathan Siwek Gilbert Clark Adam Slagell Seth Hall Robin Sommer Christian Kreibich Daniel Thayer Hui Lin Matthias Vallentin