High-Performance Intrusion Detection with the Open-Source Bro NIDS

More documents

Recommendations

Info

Activity Logs: HTTP Sessions 1144876588.30 %2 start 192.150.186.169:53041 > 195.71.11.67:80 1144876588.30 %2 GET /index.html (200 "OK" [57634] www.spiegel.de) 1144876588.30 %2 > HOST: www.spiegel.de 1144876588.30 %2 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS ... 1144876588.30 %2 > ACCEPT: text/xml,application/xml,application/xhtml ... 1144876588.30 %2 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] 1144876588.77 %2 < SERVER: Apache/1.3.26 (Unix) mod_fastcgi/2.2.12 1144876588.77 %2 < CACHE-CONTROL: max-age=120 1144876588.77 %2 < EXPIRES: Wed, 12 Apr 2006 21:18:28 GMT [...] 1144876588.77 %2
Architecture Packets Network Guest Lecture, RWTH Aachen 12 Thursday, December 16, 2010
Page 1 and 2: High-Performance Intrusion Detectio
Page 3 and 4: System Philosophy • Bro has been
Page 5 and 6: Target Environments • Bro is spec
Page 7 and 8: Lawrence Berkeley National Lab •
Page 9 and 10: LBNL’s Bro Setup External 10G Tap
Page 11 and 12: LBNL’s Bro Setup External (ESNet)
Page 13: Activity Logs: Connections • One-
Page 17 and 18: Architecture Notification Detection
Page 19 and 20: Communication Architecture Bro A Br
Page 21 and 22: Event Model Web Client 1.2.3.4/4321
Page 27 and 28: Event-Engine • Event-engine is wr
Page 29 and 30: Script Example: Tracking SSH Hosts
Page 31 and 32: Port-based Analysis • Bro has lot
Page 33 and 34: Dynamic Protocol Detection Web Clie
Page 41 and 42: Analyzer Trees IP TCP SMTP Interact
Page 43 and 44: High Performance with Concurrent Tr
Page 45 and 46: Internet Traffic: Connections #conn
Page 47 and 48: Internet Traffic: Connections #conn
Page 49 and 50: Outline 1. Overview of the Bro Netw
Page 51 and 52: Traffic Analysis Pipeline Packet An
Page 57 and 58: Building a Concurrent NIDS • Can
Page 59 and 60: Load-Balancer Approach NIDS 10Gbps
Page 61 and 62: External Packet Demultiplexer Demux
Page 63 and 64: The Bro Cluster There are a number
Page 65 and 66:
Simulation of Packet Dispatcher !"#
Page 67 and 68:
cFlow: A Production Load-Balancer
Page 69 and 70:
UC Berkeley Cluster Monitored/gener
Page 71 and 72:
UC Berkeley Cluster Monitored/gener
Page 73 and 74:
Extensions 100GE(!) version is in p
Page 75 and 76:
“Real” Multi-Core NIDS • Clus
Page 77 and 78:
Bro’s Architecture Notification S
Page 79 and 80:
Bro’s Architecture Notification D
Page 81 and 82:
Script Example: Matching URLs Task:
Page 83 and 84:
Script Example 3: Aggregated Task:
Page 85 and 86:
Parallel Event Scheduling Threaded
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Implementation of Multi-Core Bro
Page 95 and 96:
Script-Engine Performance So Far ..
Page 97 and 98:
Outline 1. Overview of the Bro Netw
Page 99 and 100:
Automating the Scoping • Scopes a
Page 101 and 102:
Software Development Support • Br
Page 103 and 104:
Conclusion Guest Lecture, RWTH Aach
Page 105 and 106:
Thanks for your attention. Robin So
Page 107 and 108:
Going Back in Time with the Time Ma
Page 109 and 110:
The Time Machine • The Time Machi
Page 111 and 112:
Query Interface • Interactive con
Page 113 and 114:
Augmenting Bro Alerts with Traffic
Page 115:
Multi-Core Bro Data Flow Main Threa
show all

High-Performance Intrusion Detection with the Open-Source Bro NIDS

Create successful ePaper yourself

Delete template?

Save as template?