following the packets a walk through bro s internal
play

Following the Packets: A Walk Through Bros Internal Processing - PowerPoint PPT Presentation

Mar 24, 2024 •445 likes •896 views

Following the Packets: A Walk Through Bros Internal Processing Pipeline Robin Sommer robin@icir.org Corelight, Inc. International Computer Science Institute Lawrence Berkeley National Laboratory Outline Bros Architecture & Data

  1. Following the Packets: A Walk Through Bro’s Internal Processing Pipeline Robin Sommer robin@icir.org Corelight, Inc. International Computer Science Institute Lawrence Berkeley National Laboratory

  2. Outline Bro’s Architecture & Data Flow Components Protocol & file analysis Log writer & input readers Bro Plugins

  3. Bro Architecture Script Interpreter Events Event Engine Network Packets

  4. Bro Architecture Script Interpreter Events Event Engine Packet Source Network Packets

  5. Bro Architecture Script Interpreter Events Event Engine I/O Loop Packet Source Network Packets

  6. Bro Architecture Script Interpreter Events Event Engine Session I/O Loop Table Packet Source Network Packets

  7. Bro Architecture Script Interpreter Events Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  8. Bro Architecture Script Interpreter Events Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  9. Bro Architecture Script Interpreter Events File Analysis Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  10. Bro Architecture Script Interpreter Events File Analysis Signature Engine Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  11. Bro Architecture Script Interpreter Events Event File Queue Analysis Signature Engine Protocol Analysis Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  12. Bro Architecture Script Interpreter Events Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  13. Bro Architecture Script Event Handlers Interpreter Events Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  14. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types Events Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Connection Session I/O Loop Table Packet Source Network Packets

  15. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Log Connection Manager Session I/O Loop Table Packet Source Network Packets

  16. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Queue Analysis Signature Engine Protocol Timer Analysis Queue Event Engine Remote- Log Connection Serializer Manager Session I/O Loop Table Packet Source Network Packets

  17. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Connection Serializer Manager Session I/O Loop Table Packet Source Network Packets

  18. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Session I/O Loop Table Packet Source Network Packets

  19. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  20. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  21. Protocol & File Analysis Example: SSL Session IP

  22. Protocol & File Analysis Example: SSL Session IP TCP connection_established()

  23. Protocol & File Analysis Example: SSL Session IP TCP SSL connection_established() ssl_{client,server}_hello()

  24. Protocol & File Analysis Example: SSL Session IP TCP SSL X.509 connection_established() ssl_{client,server}_hello() x509_certificate()

  25. Protocol & File Analysis Example: SSL Session ? IP TCP SSL X.509 connection_established() ssl_{client,server}_hello() x509_certificate()

  26. Dynamic Protocol Detection IP TCP

  27. Dynamic Protocol Detection IP TCP PIA Buffer

  28. Dynamic Protocol Detection Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer

  29. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer

  30. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL

  31. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL X.509

  32. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL HTTP X.509

  33. Dynamic Protocol Detection signature dpd_ssl_server { ip-proto == tcp payload /^(\x16\x03[\x00\x01\x02\x03[…].*/ tcp-state responder enable "ssl" } Analyzer::register_for_port(Analyzer::SSL, 443/tcp); IP TCP PIA Buffer SSL HTTP X.509

  34. Protocol Analyzer API class Analyzer { virtual void Init (); virtual void Done (); virtual void DeliverPacket (int len, const u_char* data, bool orig, bool orig, uint64 seq, const IP_Hdr* ip, int caplen); virtual void DeliverStream (int len, const u_char* data, bool orig); virtual void Undelivered (uint64 seq, int len, bool orig); virtual void EndOfData (bool is_orig); virtual void FlipRoles (); } class TCP_ApplicationAnalyzer : public Analyzer { virtual void EndpointEOF (bool is_orig); virtual void ConnectionFinished (int half_finished); virtual void ConnectionReset (); };

  35. File Analyzer API class Analyzer { virtual void Init (); virtual void Done (); virtual bool DeliverChunk (const u_char* data, uint64 len, uint64 offset); virtual bool DeliverStream (const u_char* data, uint64 len); virtual bool EndOfFile (); virtual bool Undelivered (uint64 offset, uint64 len); };

  36. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  37. Bro Architecture Script Modules Expressions Values Event Handlers Interpreter Functions Statements Types BiF Types Event prototypes Events Elements Constants Functions Event File Communic. Queue Analysis Signature Process Engine Protocol Timer Analysis Queue Event Engine Remote- Log Input Connection Serializer Manager Manager Thread Session I/O Loop Manager Table Packet Source Network Packets

  38. Writers & Readers Log Writers Input Readers ASCII ASCII Binary SQLite Raw file SQLite

  39. Log Writer API class WriterBackend { virtual bool DoInit (const WriterInfo& info, int num_fields, virtual bool DoWrite (int num_fields, const Field* const* fields, threading::Value** vals); virtual bool DoSetBuf (bool enabled); virtual bool DoFlush (double network_time); virtual bool DoRotate (const char* rotated_path, double open, double close, bool terminating); virtual bool DoFinish (double network_time); virtual bool DoHeartbeat (double network_time, double current_time); }; Each writer runs in its own thread.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat

Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat

Networking Packets Terminology Example: IP Packet Size Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 September 2013 Common/Reports/packets.tex, r676

668 views • 29 slides
TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets

TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets

TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets Reordered packets Malicious packets Requirements for Reliability Error Detection Receiver Feedback Retransmission Requirements

457 views • 23 slides
The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley Daphne bholua Chimonanthus praecox Luteus Edgeworthia chrysantha grandiflora

487 views • 27 slides
the day of Question to send a message containing h Packets I want chambers am using corrupts K

the day of Question to send a message containing h Packets I want chambers am using corrupts K

CS 70 July 9,2020 the day of Question to send a message containing h Packets I want chambers am using corrupts K of the Packets The network I don't know which k Packets are corrupted we is fixed regardless of the length of the K message

538 views • 12 slides
Problem: Want to send a message with n packets. Channel: Lossy channel: loses k packets. Question:

Problem: Want to send a message with n packets. Channel: Lossy channel: loses k packets. Question:

Problem: Want to send a message with n packets. Channel: Lossy channel: loses k packets. Question: Can you send n + k packets and recover message? A degree n 1 polynomial determined by any n points! Erasure Coding Scheme: message = m 0 , m 2

314 views • 9 slides
Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES Identify ways to make an impact through Walk MS. Be equipped to demonstrate boldness and enthusiasm when asking friends and family to join you in

407 views • 29 slides
Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you are doing online This includes your passwords! Who has access to my packets? Your ISP at home UBIT on campus Tier 1 Networks

232 views • 22 slides
r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO,

r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO,

r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Apr 28 18:45:18.863 KRSK: EIGRP: Received HELLO on Serial0/0/0 nbr 10.16.0.1 *Apr 28 18:45:18.863 KRSK: AS 200,

531 views • 5 slides
Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The ISIS Walk The ISIS Walk 3 the ISIS Walk guide hyperspace package We will be introducing the ISIS Walk DVD this Fall 2010 with the option

912 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS Network operators : Block traffic in their own networks/countries Off-path attackers : Inject TCP RST packets (next week) Routing-capable adversaries

517 views • 23 slides
CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS Network operators : Block traffic in their own networks/countries Off-path attackers : Inject TCP RST packets (next week) Routing-capable adversaries

654 views • 44 slides
Internal Audit Professionals & Internal Audit Students Pizza Mingle! Managing the Internal

Internal Audit Professionals & Internal Audit Students Pizza Mingle! Managing the Internal

Internal Audit Professionals & Internal Audit Students Pizza Mingle! Managing the Internal Audit Function Sponsored by: The Austin Chapter of the Institute of Internal Auditors, Academic Relations Committee Slide 1 Managing The Internal

722 views • 12 slides
Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of

Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of

Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of walking infrastructure Walk through Roslindale Village Discuss observations and recommend improvements Next Steps: Review report/submit comments

375 views • 19 slides
Example Protocol Layers* Exchange a file over a network that corrupts packets Networks

Example Protocol Layers* Exchange a file over a network that corrupts packets Networks

Example Protocol Layers* Exchange a file over a network that corrupts packets Networks are complex! o but doesnt lose or reorder them many pieces: A simple protocol o send file as a series of packets hosts Question:

200 views • 6 slides
Morphology: The Study of Word Structure How words are put together out of smaller pieces that

Morphology: The Study of Word Structure How words are put together out of smaller pieces that

Morphology: The Study of Word Structure How words are put together out of smaller pieces that linguists call morphemes , the minimal units of linguistic form and meaning. 1 / 41 dog, dog+s, bull+dog walk, walk+s, walk+ed, walk+ing,

806 views • 41 slides
RESPITE: Tandem & multistream research Dan Ellis International Computer Science Institute,

RESPITE: Tandem & multistream research Dan Ellis International Computer Science Institute,

RESPITE: Tandem & multistream research Dan Ellis International Computer Science Institute, Berkeley CA <dpwe@icsi.berkeley.edu> Outline 1 Tandem & LVCSR 2 Mutual information for multistream design 3 Other multistream work at

251 views • 13 slides
The ICSI corpus; Browsing meetings nlssd natural language and speech system design . Steve

The ICSI corpus; Browsing meetings nlssd natural language and speech system design . Steve

The ICSI corpus; Browsing meetings nlssd natural language and speech system design . Steve Renals s.renals@ed.ac.uk NLSSD/Corpus and Browsing p.1/14 Overview The ICSI meetings corpus Browsing meetings Useful reading: Janin et

185 views • 14 slides
ICSI Updates: Netalyzr Nicholas Weaver International Computer Science Institute 1

ICSI Updates: Netalyzr Nicholas Weaver International Computer Science Institute 1

Netalyzr Weaver ICSI Updates: Netalyzr Nicholas Weaver International Computer Science Institute 1 Acknowledgements Where do I donate -User Feedback Netalyzr Weaver Joint Work with Christian Kreibich (ICSI), Martin Dam (Aalborg

417 views • 10 slides
Talk, Cheap Talk, and States of Knowledge Rohit Parikh City University of New York COMSOC 2008

Talk, Cheap Talk, and States of Knowledge Rohit Parikh City University of New York COMSOC 2008

Talk, Cheap Talk, and States of Knowledge Rohit Parikh City University of New York COMSOC 2008 September 5, 2008 The peculiar character of the problem of a rational economic order is determined precisely by the fact that the knowledge of the

1.13k views • 109 slides
Do You See What I See? Differential Treatment of Anonymous Users Sheharbano Khattak (University

Do You See What I See? Differential Treatment of Anonymous Users Sheharbano Khattak (University

Do You See What I See? Differential Treatment of Anonymous Users Sheharbano Khattak (University of Cambridge) David Fifield (UC Berkeley) Sadia Afroz (ICSI) Mobin Javed (UC Berkeley) Srikanth Sundaresan (ICSI) Vern Paxson (UC Berkeley,

540 views • 49 slides
Introduction to Speaker Diarization Dr. Gerald Friedland International Computer Science

Introduction to Speaker Diarization Dr. Gerald Friedland International Computer Science

Introduction to Speaker Diarization Dr. Gerald Friedland International Computer Science Institute Berkeley, CA friedland@icsi.berkeley.edu Monday, May 21, 12 Speaker Diarization... tries to answer the question: who spoke when?

1.92k views • 141 slides
Evaluating Network Security using Internet Measurements Oliver Gasser Tuesday 23 rd May, 2017

Evaluating Network Security using Internet Measurements Oliver Gasser Tuesday 23 rd May, 2017

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security using Internet Measurements Oliver Gasser Tuesday 23 rd May, 2017 Chair of Network Architectures and Services

900 views • 54 slides
Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two Six Labs working on DARPA Brandeis This talk goes over work from UCB 1 Install-time permissions A ccept all or dont use the app at all. No

944 views • 77 slides

More recommend