network intrusion detection forensics
play

Network Intrusion Detection & Forensics with Bro Matthias - PowerPoint PPT Presentation

Feb 29, 2024 •105 likes •432 views

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

  1. Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016

  2. Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29

  3. Detection vs. Blocking Intrusion Prevention ◮ Inline ◮ Critical Intrusion Detection ◮ Passive ◮ Independent 2 / 29

  4. Deployment Styles Host-based ◮ Scope: single machine ◮ Example: anti-virus (AV), system monitors (e.g., OSSEC) ✓ Access to internal system state (memory, disk, processes) ✓ Easy to block attacks ✗ High management overhead for large fleet of machines ✗ Expensive analysis can decrease performance Network-based ◮ Scope: entire network ◮ Example: Bro, Snort, Suricata ✓ Network-wide vantage-point ✓ Easy to manage, best bang for the buck ✗ Lack of visibility: tunneling, encryption (TLS) ✗ All eggs in one basket 3 / 29

  5. Detection Terminology Alert No Alert True Positive (TP) False Negative (FN) Attack False Positive (FP) True Negative (TN) No Attack 4 / 29

  6. Detection Styles Four main styles 1. Misuse detection 2. Anomaly detection 3. Specification-based detection 4. Behavioral detection 5 / 29

  7. Misuse Detection Goal Detect known attacks via signatures / pattern or black lists Pros ✓ Easy to understand, readily shareable ✓ FPs: management likes warm fuzzy feeling Cons ✗ Polymorphism: unable to detect new attacks or variants ✗ Accuracy: finding sweetspot between FPs and FNs is hard Example Snort, regular expression matching 6 / 29

  8. Anomaly Detection Goal Flag deviations from a known profile of “normal” Pros ✓ Detect wide range of attacks ✓ Detect novel attacks Cons ✗ High FP rate ✗ Efficacy depends on training data purity Example Look at distribution of characters in URLs, learn some are rare 7 / 29

  9. Specification-Based Detection Goal Describe what constitutes allowed activity via policy or white list Pros ✓ Can detect novel attacks ✓ Can have low FPs Cons ✗ Expensive: requires significant development ✗ Churn: must be kept up to date Example Firewall 8 / 29

  10. Behavioral Detection Goal Look for evidence of compromise, rather than the attack itself Pros ✓ Works well when attack is hard to describe ✓ Finds novel attacks, cheap to detect, and low FPs Cons ✗ Misses unsuccessful attempts ✗ Might be too late to take action Example unset $HISTFILE 9 / 29

  11. Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 9 / 29

  12. Broverview History ◮ Created by Vern Paxson, 1996 ◮ Since then monitors the border of LBNL ◮ At the time, difficult to use, expert NIDS Today ◮ Much easier to use than 10 years ago ◮ Established open-source project, backed by Free Software Consortium ◮ Widely used in industry and academia ◮ General-purpose tool for network analysis ◮ “The scripting language for your network” ◮ Supports all major detection styles ◮ Produces a wealth of actionable logs by default 10 / 29

  13. The Bro Network Security Monitor Architecture ◮ Real-time network analysis framework User Interface ◮ Policy-neutral at the core Logs Notifications ◮ Highly stateful Script Interpreter Key components Events 1. Event engine ◮ TCP stream reassembly Event Engine ◮ Protocol analysis ◮ Policy-neutral Packets 2. Script interpreter ◮ Construct & generate logs Network ◮ Apply site policy ◮ Raise alarms 11 / 29

  14. TCP Reassembly in Bro Abstraction: from packets to byte streams ◮ Elevate packet data into byte streams ◮ Separate for connection originator and responder ◮ Passive TCP state machine: mimic endpoint semantics Originator Responder Connection 1 Connection 2 ... IP packets 12 / 29

  15. Bro’s Event Engine http_request, smtp_reply, ssl_certificate Messages Application Byte stream Transport new_connection, udp_request Packets (Inter)Network new_packet, packet_contents Frames Link arp_request, arp_reply Bro event and data model ◮ Rich-typed : first-class networking types ( addr , port , . . . ) ◮ Deep : across the whole network stack ◮ Fine-grained : detailed protocol-level information ◮ Expressive : nested data with container types (aka. semi-structured) 13 / 29

  16. Bro Logs Events → Scripts → Logs ◮ Policy-neutral by default: no notion of good or bad ◮ Forensic investigations highly benefit from unbiased information ◮ Hence no use of the term “alert” → NOTICE instead ◮ Flexible output formats: 1. ASCII 2. Binary (coming soon) 3. Custom 14 / 29

  17. Log Example conn.log #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path conn #open 2016-01-06-15-28-58 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_.. #types time string addr port addr port enum string interval count count string bool bool count string 1258531.. Cz7SRx3.. 192.168.1.102 68 192.168.1.1 67 udp dhcp 0.163820 301 300 SF - - 0 Dd 1 329 1 328 (empty) 1258531.. CTeURV1.. 192.168.1.103 137 192.168.1.255 137 udp dns 3.780125 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258531.. CUAVTq1.. 192.168.1.102 137 192.168.1.255 137 udp dns 3.748647 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258531.. CYoxAZ2.. 192.168.1.103 138 192.168.1.255 138 udp - 46.725380 560 0 S0 - - 0 D 3 644 0 0 (empty) 1258531.. CvabDq2.. 192.168.1.102 138 192.168.1.255 138 udp - 2.248589 348 0 S0 - - 0 D 2 404 0 0 (empty) 1258531.. CViJEOm.. 192.168.1.104 137 192.168.1.255 137 udp dns 3.748893 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258531.. CSC2Hd4.. 192.168.1.104 138 192.168.1.255 138 udp - 59.052898 549 0 S0 - - 0 D 3 633 0 0 (empty) 1258531.. Cd3RNm1.. 192.168.1.103 68 192.168.1.1 67 udp dhcp 0.044779 303 300 SF - - 0 Dd 1 331 1 328 (empty) 1258531.. CEwuIl2.. 192.168.1.102 138 192.168.1.255 138 udp - - - - S0 - - 0 D 1 229 0 0 (empty) 1258532.. CXxLc94.. 192.168.1.104 68 192.168.1.1 67 udp dhcp 0.002103 311 300 SF - - 0 Dd 1 339 1 328 (empty) 1258532.. CIFDQJV.. 192.168.1.102 1170 192.168.1.1 53 udp dns 0.068511 36 215 SF - - 0 Dd 1 64 1 243 (empty) 1258532.. CXFISh5.. 192.168.1.104 1174 192.168.1.1 53 udp dns 0.170962 36 215 SF - - 0 Dd 1 64 1 243 (empty) 1258532.. CQJw4C3.. 192.168.1.1 5353 224.0.0.251 5353 udp dns 0.100381 273 0 S0 - - 0 D 2 329 0 0 (empty) 1258532.. ClfEd43.. fe80::219:e3ff:fee7:5d23 5353 ff02::fb 5353 udp dns 0.100371 273 0 S0 - - 0 D 2 369 0 0 1258532.. C67zf02.. 192.168.1.103 137 192.168.1.255 137 udp dns 3.873818 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258532.. CG1FKF1.. 192.168.1.102 137 192.168.1.255 137 udp dns 3.748891 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258532.. CNFkeF2.. 192.168.1.103 138 192.168.1.255 138 udp - 2.257840 348 0 S0 - - 0 D 2 404 0 0 (empty) 1258532.. Cq4eis4.. 192.168.1.102 1173 192.168.1.1 53 udp dns 0.000267 33 497 SF - - 0 Dd 1 61 1 525 (empty) 1258532.. CHpqv31.. 192.168.1.102 138 192.168.1.255 138 udp - 2.248843 348 0 S0 - - 0 D 2 404 0 0 (empty) 1258532.. CFoJjT3.. 192.168.1.1 5353 224.0.0.251 5353 udp dns 0.099824 273 0 S0 - - 0 D 2 329 0 0 (empty) 1258532.. Cc3Ayyz.. fe80::219:e3ff:fee7:5d23 5353 ff02::fb 5353 udp dns 0.099813 273 0 S0 - - 0 D 2 369 0 0 15 / 29

  18. Example: Matching URLs Example event http_request(c: connection, method: string , path: string ) { if (method == "GET" && path == "/etc/passwd") NOTICE(SensitiveURL, c, path); } 16 / 29

  19. Example: Tracking SSH Hosts Example global ssh_hosts: set [ addr ]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder's address local service = c$id$resp_p; # Responder's port if (service != 22/tcp) return ; # Not SSH. if (responder in ssh_hosts) return ; # We already know this one. add ssh_hosts[responder]; # Found a new host. print "New SSH host found", responder; } 17 / 29

  20. Example: Kaminsky Attack 1. Issue: vulnerable resolvers do not randomize DNS source ports 2. Identify relevant data: DNS, resolver address, UDP source port 3. Jot down your analysis ideas: ◮ “For each resolver, no connection should reuse the same source port” ◮ “For each resolver, connections should use random source ports” 4. Express analysis: ◮ “Count the number of unique source ports per resolver” 5. Use your toolbox: ◮ bro-cut id.resp_p id.orig_h id.orig_p < dns.log \ | awk '$1 == 53 { print $2, $3 }' \ # Basic DNS only | sort | uniq -d \ # Duplicate source ports | awk '{ print $1 }' | uniq # Extract unique hosts 6. Know your limitations: ◮ No measure of PRNG quality (Diehard tests, Martin-Löf randomness) ◮ Port reuse occurs eventually → false positives 7. Close the loop: write a Bro script that does the same 18 / 29

  21. Example: Kaminsky Attack Detector Example const local_resolvers = { 7.7.7.7, 7.7.7.8 } global ports: table [ addr ] of set [ port ] & create_expire =1hr; event dns_request(c: connection, ...) { local resolver = c$id$orig_h; # Extract source IP address. if (resolver ! in local_resolvers) return ; # Do not consider user DNS requests. local src_port = c$id$orig_p; # Extract source port. if (src_port ! in ports[resolver]) { add ports[resolver][src_port]: return ; } # If we reach this point, we have a duplicate source port. NOTICE(...); } 19 / 29

  22. Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 19 / 29

  23. Your Turn! 20 / 29

  24. Ready, Set, Go! Running Bro Run Bro on the 2009-M57-day11-18 trace. Solution cd /tmp/berke1337 wget http://bit.ly/m57-trace zcat 2009-M57-day11-18.trace.gz | bro -r - 21 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy School of Engineering, University of Warwick, UK Introduction Mainstream approaches in intrusion detection do not scale well to the embedded

936 views • 7 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications

253 views • 11 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
What is Anomalies? If Efficient Market Hypothesis holds, all securities should have the same

What is Anomalies? If Efficient Market Hypothesis holds, all securities should have the same

What is Anomalies? If Efficient Market Hypothesis holds, all securities should have the same risk-adjusted returns. Lecture 2: Anomalies and Market o Therefore, observable stock characteristics such as size, PE ratio, or price-book value

248 views • 9 slides
FerMINI - Fermilab Search for Millicharged Particles &amp; Strongly Interacting Dark Matter Yu-Dai

FerMINI - Fermilab Search for Millicharged Particles &amp; Strongly Interacting Dark Matter Yu-Dai

https://web.fnal.gov/collaboration/sbn_sharepoint/SitePages/Civil_Construction.aspx FerMINI - Fermilab Search for Millicharged Particles &amp; Strongly Interacting Dark Matter Yu-Dai Tsai , Fermilab Theorist (WH674W) / U. Chicago Magill, Plestid,

740 views • 55 slides
Timing Update Darryl Veitch darryl.veitch@uts.edu.au School of Computing and Communications

Timing Update Darryl Veitch darryl.veitch@uts.edu.au School of Computing and Communications

Timing Update Darryl Veitch darryl.veitch@uts.edu.au School of Computing and Communications UNIVERSITY OF TECHNOLOGY SYDNEY UTS Timing Project Continues SyncLab Project formally at Uni of Melbourne n New testbed with Two 7.5G4 DAG

417 views • 15 slides
Announcements Department coin design contest deadline - IT420: Database Management and

Announcements Department coin design contest deadline - IT420: Database Management and

Announcements Department coin design contest deadline - IT420: Database Management and February 6 Organization 6-week exam Monday, February 12 Lab 4 SQL SQL Server: Normalization ALTER TABLE tname ADD COLUMN newCol

307 views • 6 slides
Automatic Failure Diagnosis Support in Distributed Large-Scale Software Systems based on Timing

Automatic Failure Diagnosis Support in Distributed Large-Scale Software Systems based on Timing

Automatic Failure Diagnosis Support in Distributed Large-Scale Software Systems based on Timing Behavior Anomaly Correlation Presentation at 13th European Conference on Software Maintenance and Reengineering Nina Marwede 1 , Matthias Rohr 1 ,

439 views • 42 slides
Panorama des mthodes de dtection et de traitement des anomalies Laure Berti-quille IRD

Panorama des mthodes de dtection et de traitement des anomalies Laure Berti-quille IRD

Panorama des mthodes de dtection et de traitement des anomalies Laure Berti-quille IRD www.ird.fr laure.berti@ird.fr AAFD 2012 la recherche des problmes de qualit de donnes Dirty Data : Donnes malformates

934 views • 56 slides
Spatial and temporal extent of ionospheric anomalies during sudden stratospheric warmings in the

Spatial and temporal extent of ionospheric anomalies during sudden stratospheric warmings in the

Spatial and temporal extent of ionospheric anomalies during sudden stratospheric warmings in the daytime ionosphere Larisa Goncharenko, Shunrong Zhang, Anthea Coster, Leonid Benkevitch, Massachusetts Institute of Technology, MIT Haystack

422 views • 19 slides
24 February 2014 Counsellors Office of the State Council Beijing, China Please Provide

24 February 2014 Counsellors Office of the State Council Beijing, China Please Provide

Symposium on a New Type of Major Power Relationship James Hansen 24 February 2014 Counsellors Office of the State Council Beijing, China Please Provide Suggestions &amp; Criticisms All charts will be left with organizers, also at:

479 views • 35 slides

More recommend