broverview
play

Broverview Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro - PowerPoint PPT Presentation

May 19, 2023 •425 likes •1.12k views

The Bro Network Security Monitor Broverview Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline 2 Bro Workshop 2011 Outline Philosophy and Architecture A framework for network traffic analysis. 2 Bro Workshop 2011

  1. The Bro Network Security Monitor Broverview Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011

  2. Outline 2 Bro Workshop 2011

  3. Outline Philosophy and Architecture A framework for network traffic analysis. 2 Bro Workshop 2011

  4. Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. 2 Bro Workshop 2011

  5. Outline Philosophy and Architecture A framework for network traffic analysis. History From research to operations. Architecture Components, logs, scripts, cluster. 2 Bro Workshop 2011

  6. What is Bro? 3 Bro Workshop 2011

  7. What is Bro? Packet Capture 3 Bro Workshop 2011

  8. What is Bro? Packet Capture Traffic Inspection 3 Bro Workshop 2011

  9. What is Bro? Packet Capture Traffic Inspection Attack Detection 3 Bro Workshop 2011

  10. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog 3 Bro Workshop 2011

  11. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 3 Bro Workshop 2011

  12. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Abstraction Data Structures 3 Bro Workshop 2011

  13. What is Bro? Packet Capture Traffic Inspection Attack Detection NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011

  14. What is Bro? Packet Capture Traffic Inspection Attack Detection “Domain-specific Python” NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011

  15. What is Bro? Packet Capture S u m i s m o r e t h a n t h e p i e c e s Traffic Inspection Attack Detection “Domain-specific Python” NetFlow Log Recording syslog Flexibility Flexibility Abstraction Abstraction Data Structures Data Structures 3 Bro Workshop 2011

  16. Philosophy 4 Bro Workshop 2011

  17. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. 4 Bro Workshop 2011

  18. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. 4 Bro Workshop 2011

  19. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. 4 Bro Workshop 2011

  20. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. 4 Bro Workshop 2011

  21. Philosophy Fundamentally different from other IDS. Reset your idea of an IDS before starting to use Bro. Real-time network analysis framework. Primarily an IDS, but many use it for general traffic analysis. Policy-neutral at the core. Can accommodate a range of detection approaches. Highly stateful. Tracks extensive application-layer network state. Supports forensics. Extensively logs what it sees. 4 Bro Workshop 2011

  22. Target Audience 5 Bro Workshop 2011

  23. Target Audience Large-scale environments. Effective also with liberal security policies. 5 Bro Workshop 2011

  24. Target Audience Large-scale environments. Effective also with liberal security policies. Network-savvy users. Requires understanding of your network. 5 Bro Workshop 2011

  25. Target Audience Large-scale environments. Effective also with liberal security policies. Network-savvy users. Requires understanding of your network. Unixy mindset. Command-line based, fully customizable. 5 Bro Workshop 2011

  26. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code 6 Bro Workshop 2011

  27. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vern writes 1st line of code LBNL starts using Bro operationally 6 Bro Workshop 2011

  28. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Bro Workshop 2011

  29. Bro History Host Context Academic Time Machine Enterprise Traffic Publications TRW State Mgmt. Bro Cluster Independ. State Shunt Parallel Prototype Anonymizer BinPAC Stepping Stone Active Mapping DPD USENIX Paper Detector Context Signat. 2nd Path Autotuning 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 v0.2 v0.7a90 v1.1/v1.2 v1.5 Vern writes 1st v0.6 v0.8aX/0.9aX Bro 2.0 1st CHANGES Profiling when Stmt BroControl line of code RegExps SSL/SMB entry State Mgmt STABLE releases Resource Login analysis BroLite tuning Bro Waters Broccoli DPD v0.7a175/0.8aX v1.0 v1.4 v0.4 LBNL starts Signatures BinPAC DHCP/BitTorrent HTTP analysis using Bro SMTP IRC/RPC analyzers HTTP entities Scan detector operationally IPv6 support 64-bit support NetFlow IP fragments User manual Sane version Bro Lite Deprecated Linux support numbers 0.8a37 v1.3 v0.7a48 Communication Ctor expressions Consistent Persistence GeoIP CHANGES Namespaces Conn Compressor Log Rotation 6 Bro Workshop 2011

  30. Research Heritage 7 Bro Workshop 2011

  31. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. 7 Bro Workshop 2011

  32. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. 7 Bro Workshop 2011

  33. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. NSF now funding Bro development at ICSI and NCSA. Full-time engineers working 3 years on capabilities & user experience. Office of Cyberinfrastructure 7 Bro Workshop 2011

  34. Research Heritage Much of Bro is coming out of research projects. Bridging gap between academia and operations. However, that meant limited engineering resources. We were lacking resources for development, documentation, polishing. NSF now funding Bro development at ICSI and NCSA. Full-time engineers working 3 years on capabilities & user experience. Objective is a sustainable development model. Aiming to create a larger user and development community. Office of Cyberinfrastructure 7 Bro Workshop 2011

  35. Deployment Internal Internet Network 8 Bro Workshop 2011

  36. Deployment Ta Internal Internet Network Bro 8 Bro Workshop 2011

  37. Deployment Ta Internal Internet Network Bro Runs on commodity platforms. � Standard PCs & NICs. Supports FreeBSD/Linux/OS X. 8 Bro Workshop 2011

  38. Architecture Packets Network 9 Bro Workshop 2011

  39. Architecture Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011

  40. Architecture Logs Notification Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011

  41. Architecture Logs Notification “User Interface” Policy Script Interpreter Analysis Logic Events Event Engine Protocol Decoding Packets Network 9 Bro Workshop 2011

  42. Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 10 Bro Workshop 2011

  43. Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 10 Bro Workshop 2011

  44. Script Example: Scan Detector Task: Count failed connection attempts per source address . 11 Bro Workshop 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic

Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic

The Bro Network Security Monitor Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic analysis. 2 Outline Philosophy and Architecture A framework for network traffic analysis. History From research to

1.22k views • 73 slides
MI STRAL Modeling of Comput er Syst ems and Telecommunicat ion Net works Philippe Nain I NRI A

MI STRAL Modeling of Comput er Syst ems and Telecommunicat ion Net works Philippe Nain I NRI A

MI STRAL Modeling of Comput er Syst ems and Telecommunicat ion Net works Philippe Nain I NRI A Sophia Ant ipolis Evaluat ion of I NRI A 1B Theme J ouy-en-J osas, Oct ober 22, 2003 Scient if ic goals MI STRAL is devot ed t o building

326 views • 19 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

533 views • 25 slides
for SDN Deployment Victor Heorhiadi Michael K. Reiter Vyas Sekar UNC Chapel Hill UNC Chapel

for SDN Deployment Victor Heorhiadi Michael K. Reiter Vyas Sekar UNC Chapel Hill UNC Chapel

Simplifying Network Optimization for SDN Deployment Victor Heorhiadi Michael K. Reiter Vyas Sekar UNC Chapel Hill UNC Chapel Hill Carnegie Mellon University Overview: SDN SDN applications A A A A A A A Network routes Network data

499 views • 27 slides
Traffic generation for network simulation Tom Kelly NS Tutorial - Microsoft Research Cambridge

Traffic generation for network simulation Tom Kelly NS Tutorial - Microsoft Research Cambridge

Traffic generation for network simulation Tom Kelly NS Tutorial - Microsoft Research Cambridge 9th December 2005 Overview n Why traffic generation is important n Basics of traffic modeling n Open system models n Closed system models n Common

672 views • 19 slides
Traffic Monitoring and Application Classification: A Novel Approach Michalis Faloutsos, UC

Traffic Monitoring and Application Classification: A Novel Approach Michalis Faloutsos, UC

Traffic Monitoring and Application Classification: A Novel Approach Michalis Faloutsos, UC Riverside QuickTime and a QuickTime and a TIFF (Uncompressed) decompressor TIFF (Uncompressed) decompressor are needed to see this picture. are

685 views • 64 slides
presentations on the web Ellen Finkelstein @EFinkelstein 1 1 Reasons to put a 3 2

presentations on the web Ellen Finkelstein @EFinkelstein 1 1 Reasons to put a 3 2

Training video: How to get your presentations on the web Ellen Finkelstein @EFinkelstein 1 1 Reasons to put a 3 2 presentation online 2 How do you want the presentation to be experienced? Silent Narrated User Automatic controlled

640 views • 46 slides
DESIGNING WEBSITE ARCHITECTURE WITH REAL HUMANS IN MIND Valerie Neumark Mickela Co-Founder

DESIGNING WEBSITE ARCHITECTURE WITH REAL HUMANS IN MIND Valerie Neumark Mickela Co-Founder

DESIGNING WEBSITE ARCHITECTURE WITH REAL HUMANS IN MIND Valerie Neumark Mickela Co-Founder & Brand Strategist Rootid Think about a commercial/ad/ music video/soundtrack that has really resonated with you. Please share with your

326 views • 16 slides
Long-lived Charginos in the MSSM Focus-point Region M. G. Paucar A. Long-lived Charginos in the

Long-lived Charginos in the MSSM Focus-point Region M. G. Paucar A. Long-lived Charginos in the

Long-lived Charginos in the MSSM Focus-point Region M. G. Paucar A. Long-lived Charginos in the MSSM Focus-point Region The MSSM Available Regions of mSUGRA Parameters Space Long-lived Charginos Phenomenology of light chargino

366 views • 18 slides
DATA MINING INTRO LECTURE Introduction Instructors Aris (Aris Anagnostopoulos) ChaTo (Carlos

DATA MINING INTRO LECTURE Introduction Instructors Aris (Aris Anagnostopoulos) ChaTo (Carlos

DATA MINING INTRO LECTURE Introduction Instructors Aris (Aris Anagnostopoulos) ChaTo (Carlos Castillo) Yiannis (Ioannis Chatzigiannakis) What is Data Science? What is Data Science? Boh What is Data Science? What is Data Science? What is

1.01k views • 57 slides
DATA MINING INTRO LECTURE Introduction Instructors Aris (Aris Anagnostopoulos) Teaching

DATA MINING INTRO LECTURE Introduction Instructors Aris (Aris Anagnostopoulos) Teaching

DATA MINING INTRO LECTURE Introduction Instructors Aris (Aris Anagnostopoulos) Teaching Assistant (TA): Andrea (Andrea Mastropietro) Logistics Register: Send email to Aris Web page Class hours Office hours What do you need

593 views • 48 slides
Opinio n Mining F e iyu XU & Xiwe n CHE NG Xiwe n.c he ng @ dfki.de DF K I , Sa a rb

Opinio n Mining F e iyu XU & Xiwe n CHE NG Xiwe n.c he ng @ dfki.de DF K I , Sa a rb

Opinio n Mining F e iyu XU & Xiwe n CHE NG Xiwe n.c he ng @ dfki.de DF K I , Sa a rb rue c ke n, Ge rma ny Ja n 19th, 2011 2011-1-19 L a ng ua g e T e c hno lo g y I 1 Disc ussio n o n Opinio n Mining Applic a tio n T e xtma

745 views • 40 slides
PDBWiki: success or failure? Factors for successful community annotation projects Dan Bolser (

PDBWiki: success or failure? Factors for successful community annotation projects Dan Bolser (

PDBWiki: success or failure? Factors for successful community annotation projects Dan Bolser ( dan.bolser@gmail.com ) NETTAB 2010, Naples, Italy 1 2 Motivation for this work Opportunity to look at the strengths and weaknesses of the

636 views • 36 slides
A world that works for everyone Exploring sortition Are our democracies working well?

A world that works for everyone Exploring sortition Are our democracies working well?

A world that works for everyone Exploring sortition Are our democracies working well? Distorted media, Lobbyists, vested interests, factions, desire for power? What qualities of sortition would be good? Representative random

301 views • 5 slides
Faith Confidence in who God is Limitless faith no boundary to our confidence in God Faith

Faith Confidence in who God is Limitless faith no boundary to our confidence in God Faith

Limitless No Limits Faith Confidence in who God is Limitless faith no boundary to our confidence in God Faith is a gift For by grace you have been saved through faith. And this is not your own doing; it is the gift of God Ephesians

552 views • 13 slides
Logic and Group Decision Making Eric Pacuit Department of Philosophy University of Maryland,

Logic and Group Decision Making Eric Pacuit Department of Philosophy University of Maryland,

Logic and Group Decision Making Eric Pacuit Department of Philosophy University of Maryland, College Park pacuit.org epacuit@umd.edu August 12, 2013 Eric Pacuit 1 An Email Eric Pacuit 2 An Email Interesting Eric Pacuit 2 An Email

1.1k views • 86 slides
PHPE 400 Individual and Group Decision Making Eric Pacuit University of Maryland 1 / 19

PHPE 400 Individual and Group Decision Making Eric Pacuit University of Maryland 1 / 19

PHPE 400 Individual and Group Decision Making Eric Pacuit University of Maryland 1 / 19 Judgement aggregation model Group of experts Agenda Judgement Aggregation method 2 / 19 Group of experts Evidence: shared or

845 views • 52 slides
MATERNAL MENTAL HEALTH: ADDRESSING PERI- AND POSTPARTUM DEPRESSION Learning Objectives

MATERNAL MENTAL HEALTH: ADDRESSING PERI- AND POSTPARTUM DEPRESSION Learning Objectives

MATERNAL MENTAL HEALTH: ADDRESSING PERI- AND POSTPARTUM DEPRESSION Learning Objectives Implement evidence-based strategies to manage depression during pregnancy Counsel patients about the risks vs. benefits of medication treatment during

705 views • 41 slides
6 STEPS TO REWIRE CUSTOMER LOYALTY AND BUILD YOUR BUSINESS These materials do not reflect the

6 STEPS TO REWIRE CUSTOMER LOYALTY AND BUILD YOUR BUSINESS These materials do not reflect the

6 STEPS TO REWIRE CUSTOMER LOYALTY AND BUILD YOUR BUSINESS These materials do not reflect the views of Verizon. JAY BAER Founder, Convince & Convert 7th-generation entrepreneur Author of 6 best-selling books Creator of 5 multi-million

936 views • 62 slides
Robotic Mapping: an architectural approach S. Bonetti - F. Fiamberti - D. Micucci - F. Tisato

Robotic Mapping: an architectural approach S. Bonetti - F. Fiamberti - D. Micucci - F. Tisato

Robotic Mapping: an architectural approach S. Bonetti - F. Fiamberti - D. Micucci - F. Tisato D.I.S.Co. University of Milano-Bicocca - Italy D I P A R T I M E N T O D I P A R T I M E N T O D I D I I N F O R M A T I C A I N F O R M A T I C A

517 views • 25 slides
201ab Quantitative methods L.12 Linear model: Categorical predictors E D V UL | UCSD Psychology

201ab Quantitative methods L.12 Linear model: Categorical predictors E D V UL | UCSD Psychology

201ab Quantitative methods L.12 Linear model: Categorical predictors E D V UL | UCSD Psychology Psych 201ab: Quantitative methods Overly specific named procedures Response ~null ~binary ~category ~numerical ~numerical + category

863 views • 67 slides
CPSC 121: Mode els of Computation Un nit 4 Propositiona l Logic Proofs Based on slides by

CPSC 121: Mode els of Computation Un nit 4 Propositiona l Logic Proofs Based on slides by

CPSC 121: Mode els of Computation Un nit 4 Propositiona l Logic Proofs Based on slides by Patrice Be Based on slides by Patrice Be lleville and Steve Wolfman lleville and Steve Wolfman Pre-Class Learning Pre-Class Learning Goals Goals

332 views • 16 slides
The Web of Mathematical Models: A Schema-based, Wiki-like, Interactive Platform Thomas

The Web of Mathematical Models: A Schema-based, Wiki-like, Interactive Platform Thomas

The Web of Mathematical Models: A Schema-based, Wiki-like, Interactive Platform Thomas Grundmann, Jean-Marie Gaillourdet, Karsten Schmidt, Arnd Poetzsch-Heffter, Stefan Deloch and Martin Memmel MathWikis, Nijmegen, 2011 Outline

528 views • 17 slides
Introduction to policy search in Reinforcement Learning Djalel Benbouzid Data:Lab Munich,

Introduction to policy search in Reinforcement Learning Djalel Benbouzid Data:Lab Munich,

Introduction to policy search in Reinforcement Learning Djalel Benbouzid Data:Lab Munich, Volkswagen Group June 27 th 2018 introduction and some reminders introduce a di ff erent way to RL , wrt. first lecture quick outline gradients-based

862 views • 41 slides

More recommend