monitoring network security with the
play

Monitoring Network Security with the Open-Source Bro NIDS Robin - PowerPoint PPT Presentation

Oct 16, 2022 •416 likes •922 views

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National Laboratory & International Computer Science Institute rsommer@lbl.gov http://www.icir.org DOE Network Security Monitoring Technical Summit at

  1. Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National Laboratory & International Computer Science Institute rsommer@lbl.gov http://www.icir.org DOE Network Security Monitoring Technical Summit at Jefferson Lab

  2. Outline • Overview of Bro’s design & architecture • Topics • Dynamic Protocol Detection • Bro Cluster • Time Machine with Bro interface • Outlook DOE Network Security Monitoring Technical Summit 2

  3. The Bro NIDS DOE Network Security Monitoring Technical Summit 3

  4. System Philosophy • Bro is being developed at LBNL & ICSI since 1996 • LBNL has been using Bro operationally for >10 years • It is one of the main components of the lab’s network security infrastructure • Bro provides a real-time network analysis framework • Primary a network intrusion detection system (NIDS) • However it is also used for pure traffic analysis • Focus is on • Application-level semantic analysis (rather than analyzing individual packets) • Tracking information over time • Strong separation of mechanism and policy • The core of the system is policy-neutral (no notion of “good” or “bad”) • User provides local site policy DOE Network Security Monitoring Technical Summit 4

  5. System Philosophy (2) • Operators program their policy • Not really meaningful to talk about what Bro detects “by default” • Analysis model is not signature matching • Bro is fundamentally different from, e.g., Snort (though it can do signatures as well) • Analysis model is not anomaly detection • Though it does support such approaches (and others) in principle • System thoroughly logs all activity • It does not just alert • Logs are invaluable for forensics DOE Network Security Monitoring Technical Summit 5

  6. Target Environments • Bro is specifically well-suited for scientific environments • Extremely useful in networks with liberal (“default allow”) policies • High-performance on commodity hardware • Supports intrusion prevention schemes • Open-source (BSD license) • It does however require some effort to use effectively • Pretty complex, script-based system • Requires understanding of the network • No GUI, just ASCII logs • Only partially documented • Lacking resources to fully polish the system • Development is primarily driven by research • However, our focus is operational use; we invest much time into “practical” issues • Want to bridge gap between research and operational deployment DOE Network Security Monitoring Technical Summit 6

  7. Bro Deployment • Bro is typically deployed at a site’s upstream link • Monitors all external packets coming in or going out • Deployment similar to other NIDS Internal Tap Internet Network Bro DOE Network Security Monitoring Technical Summit 7

  8. LBNL’s Bro Setup External Internal Tap 10G 10G (ESNet) (LBLNet) Bro DOE Network Security Monitoring Technical Summit 8

  9. LBNL’s Bro Setup External Internal Tap Tap 10G 10G Gateway (ESNet) (LBLNet) Bro Bro DOE Network Security Monitoring Technical Summit 8

  10. LBNL’s Bro Setup External Internal Tap Tap 10G 10G Gateway (ESNet) (LBLNet) Bro Bro Bro Bro Bro Bro DOE Network Security Monitoring Technical Summit 8

  11. LBNL’s Bro Setup External Internal Tap Tap 10G 10G Gateway (ESNet) (LBLNet) Dynamic acld Blocking Bro Bro Bro Bro Bro Bro Bro blocks several thousands addresses per day! DOE Network Security Monitoring Technical Summit 8

  12. Architecture Packet Stream Network DOE Network Security Monitoring Technical Summit 9

  13. Architecture Event Stream Event Engine (Core) Packet Stream Network DOE Network Security Monitoring Technical Summit 9

  14. Architecture Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network DOE Network Security Monitoring Technical Summit 9

  15. Event-Engine • Event-engine is written in C++ • Performs policy-neutral analysis • Turns low-level activity into high-level events • Examples: connection_established, http_request • Events are annotated with context (e.g., IP addresses, URL) • Contains analyzers for >30 protocols, including • ARP, IP, ICMP, TCP, UDP • DCE-RPC, DNS, FTP, Finger, Gnutella, HTTP, IRC, Ident, NCP, NFS, NTP, NetBIOS, POP3, Portmapper, RPC, Rsh, Rlogin, SMB, SMTP, SSH, SSL, SunRPC, Telnet • Analyzers generate ~300 types of events DOE Network Security Monitoring Technical Summit 10

  16. Policy Scripts • Scripts process event stream, incorporating ... • ... context from past events • ... site’s local security policy • Scripts take actions • Generating alerts via syslog or mail • Executing program as a form of response • Recording activity to disk DOE Network Security Monitoring Technical Summit 11

  17. Example Log: Connection Summaries • One-line summaries for all TCP connections • Most basic, yet also one of the most useful analyzers > bro -r trace tcp Time Duration Source Destination 1144876596.658302 1.206521 192.150.186.169 62.26.220.2 \ http 53052 80 tcp 874 1841 SF X Serv SrcPort DstPort Proto SrcBytes DstBytes State Dir LBNL has connection logs for every connection attempt since June 94! DOE Network Security Monitoring Technical Summit 12

  18. Example Log: HTTP Session 1144876588.30 %2 start 192.150.186.169:53041 > 195.71.11.67:80 1144876588.30 %2 GET /index.html (200 "OK" [57634] www.spiegel.de) 1144876588.30 %2 > HOST: www.spiegel.de 1144876588.30 %2 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS ... 1144876588.30 %2 > ACCEPT: text/xml,application/xml,application/xhtml ... 1144876588.30 %2 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] 1144876588.77 %2 < SERVER: Apache/1.3.26 (Unix) mod_fastcgi/2.2.12 1144876588.77 %2 < CACHE-CONTROL: max-age=120 1144876588.77 %2 < EXPIRES: Wed, 12 Apr 2006 21:18:28 GMT [...] 1144876588.77 %2 <= 1500 bytes: "<!-- Vignette StoryServer 5.0 Wed Apr..." 1144876588.78 %2 <= 1500 bytes: "r "http://spiegel.ivwbox.de" r..." 1144876588.78 %2 <= 1500 bytes: "icon.ico" type="image/ico">^M^J ..." 1144876588.94 %2 <= 1500 bytes: "erver 5.0 Mon Mar 27 15:56:55 ..." [...] DOE Network Security Monitoring Technical Summit 13

  19. Script Example: Tracking SSH Hosts global ssh_hosts: set[addr]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder’s address local service = c$id$resp_p; # Responder’s port if ( service != 22/tcp ) return; # Not SSH. if ( responder in ssh_hosts ) return; # We already know this one. add ssh_hosts[responder]; # Found a new host. alarm fmt("New SSH host found: %s", responder); } DOE Network Security Monitoring Technical Summit 14

  20. Expressing Policy • Scripts are written in custom, domain-specific language • Bro ships with 20K+ lines of script code • Default scripts detect attacks & log activity extensively • Language is • Procedural • Event-based • Strongly typed • Rich in types • Usual script-language types, such as tables and sets • Domain-specific types, such as addresses, ports, subnets • Supporting state management (expiration, timers, etc.) • Supporting communication with other Bro instances DOE Network Security Monitoring Technical Summit 15

  21. Port-independent Protocol Analysis with Dynamic Protocol Detection DOE Network Security Monitoring Technical Summit 16

  22. Port-based Protocol Analysis • Bro has lots of application-layer analyzers • But which protocol does a connection use? • Traditionally NIDS rely on ports • Port 80? Oh, that’s HTTP. • Obviously deficient in two ways • There’s non-HTTP traffic on port 80 (firewalls tend to open this port...) • There’s HTTP on ports other than port 80 • Particularly problematic for security monitoring • Want to know if somebody avoids the well-known port DOE Network Security Monitoring Technical Summit 17

  23. Port-independent Analysis • Look at the payload to see what is, e.g., HTTP • Analyzers already know how a protocol looks like • Leverage existing protocol analyzers • Let each analyzer try to parse the payload • If it succeeds, great! • If not, then it’s actually another protocol • Ideal setting: for every connection, try all analyzers • However, performance is prohibitive • Can’t parse 10000s of connections in parallel with all analyzers DOE Network Security Monitoring Technical Summit 18

  24. Making it realistic ... • Bro uses byte patterns to prefilter connections • An HTTP signature looks for potential uses of HTTP • Then the HTTP analyzer verifies by trying to parse the payload • Signatures can be loose because false positives are inexpensive (no alerts!) • Other NIDS often ship with protocol signatures • These directly generate alerts (imagine reporting all non-80 HTTP conns!) • These do not trigger protocol-layer semantic analysis (e.g., extracting URLs) • In Bro, a match triggers further analysis • Main internal concept: analyzer trees • Each connection is associated with an analyzer tree DOE Network Security Monitoring Technical Summit 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Security Monitoring and Enforcement for the

795 views • 42 slides
They did not know what hit them Network Security Monitoring at Mozilla I bought you those

They did not know what hit them Network Security Monitoring at Mozilla I bought you those

They did not know what hit them Network Security Monitoring at Mozilla I bought you those servers to run NSM on them &lt;- Boss, 2012 New servers &lt;- always cool Mozilla Confidential 2 The big idea NSM = Network Security Monitoring

1.1k views • 82 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott

Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott

Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott Miserendino Michael Gora Chief Data Scientist System Architect Cyber Security Start-Up Started in 2013 Born out of a large defense

342 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT

NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT

NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT April, 2008 20th Annual FIRST Conference on Computer Security Incident Handling Summary 1. INTECO and INTECO-CERT 2. Spam Monitoring Network 1.

675 views • 33 slides
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?) Seungwon Shin Guofei Gu SUCCESS Lab SUCCESS Lab Texas A&amp;M University Texas A&amp;M

314 views • 6 slides
1 Current Security Monitoring Current Network Monitoring Visualization Humans learn visually

1 Current Security Monitoring Current Network Monitoring Visualization Humans learn visually

Overview The Thin Blue Line: Security SysAdmins Current state of Internet Security Better Tools for System Administration: all metrics show bad -&gt; worse unpatched software vulnerabilities Enhancing the Human-Computer

583 views • 6 slides
Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar Bohte &amp; Roy Vermeulen Why diabetes? 2 3 The upside 4 Smartphone app security 5 Health data confidentiality 6 Diabetes data integrity

645 views • 28 slides
High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for

High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for

High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for Monitoring External and Internal Activity Robin Sommer Lawrence Berkeley National Laboratory &amp; International Computer Science Institute

841 views • 52 slides
Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Where to put the

Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Where to put the

Real-Time Communication Security: SSL/TLS Guevara Noubir noubir@ccs.neu.edu Network Security Reading Assignment: chapters 16, 19 Network Security SSL TLS 1 Some Issues with Real-time Communication Session key establishment

312 views • 8 slides
All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring Systems Andrei Costin EURECOM, France 1 st Workshop on Security &amp; Privacy in the Cloud (SPC) 30 Sep 2015, Florence Italy Agenda

640 views • 63 slides
Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey Williamson Department of Computer Science University of Calgary Outline Introduction (Carey: 20 minutes) Internet TCP/IP protocol stack

959 views • 48 slides
Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202

Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202

Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202 @suqitian Network Security Research Lab, Qihoo 360 http://netlab.360.com/ FloCon 2017 Backbone Network DRDoS Attack Monitoring and Analysis Thread

238 views • 22 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Energy Sector

in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Energy Sector

Working to Achieve Cybersecurity in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Energy Sector Cybersecurity Challenges Open Protocols Open industry standard protocols are replacing vendor-specific

609 views • 36 slides
Educating the Next Generation of Scientists &amp; Engineers for America William A. Barletta

Educating the Next Generation of Scientists &amp; Engineers for America William A. Barletta

Educating the Next Generation of Scientists &amp; Engineers for America William A. Barletta Director, United States Particle Accelerator School Dept. of Physics, MIT Dept. of Physics and Astronomy, UCLA US Par t icl e Accel er at or School

537 views • 40 slides
Using Chip Simulation to Optimize Engine Control Matthias Simons - Daimler AG Mihai Feier, Jakob

Using Chip Simulation to Optimize Engine Control Matthias Simons - Daimler AG Mihai Feier, Jakob

Using Chip Simulation to Optimize Engine Control Matthias Simons - Daimler AG Mihai Feier, Jakob Mauss - QTronic GmbH 7th Conference on Design of Experiments (DoE) in Engine Development Berlin, 18.19.06.2013 Outline of the talk Using Chip

218 views • 19 slides
Secondary Transition Services and Graduation with a High School Diploma Graduation with a

Secondary Transition Services and Graduation with a High School Diploma Graduation with a

Secondary Transition Services and Graduation with a High School Diploma Graduation with a Regular High School Diploma* Under IDEA Ends a students eligibility for special education and related services. A change in placement, subject

427 views • 15 slides
DOE-EFCOG ISM &amp; QA Strategic Planning &amp; Direction HPI Task Group FY15 Initiatives Kim

DOE-EFCOG ISM &amp; QA Strategic Planning &amp; Direction HPI Task Group FY15 Initiatives Kim

DOE-EFCOG ISM &amp; QA Strategic Planning &amp; Direction HPI Task Group FY15 Initiatives Kim Leffew and Chuck Ramsey HPI Integration for Org Effectiveness 2015 Initiatives DOE &amp; Contractor Leadership Guidance: Provide draft document

521 views • 3 slides
Water-Energy Nexus Pressures and drivers USGCRP and DOE

Water-Energy Nexus Pressures and drivers USGCRP and DOE

Water-Energy Nexus Pressures and drivers USGCRP and DOE priori=es DOEs WETT G. L. Geernaert DOE Pressures and drivers IPCC and NCA

452 views • 9 slides
Planned Developments of Planned Developments of Hi h E d S Hi h E d S High End Systems High

Planned Developments of Planned Developments of Hi h E d S Hi h E d S High End Systems High

Planned Developments of Planned Developments of Hi h E d S Hi h E d S High End Systems High End Systems t t Around the World Around the World Jack Dongarra INNOVATIVE COMP ING LABORATORY University of Tennessee Oak Ridge National

549 views • 21 slides
Small Modular Reactor Design and Deployment IREA 10/14/2018 www.inl.gov INL SMR Activities

Small Modular Reactor Design and Deployment IREA 10/14/2018 www.inl.gov INL SMR Activities

INL/MIS-15-34247 Small Modular Reactor Design and Deployment IREA 10/14/2018 www.inl.gov INL SMR Activities INL works with all vendors to provide fair access to the laboratory benefits INL works with industry on SMR technology and

634 views • 24 slides

More recommend