High-Performance Intrusion Detection with the Open-Source Bro NIDS

More documents

Recommendations

Info

Event Model Web Client 1.2.3.4/4321 ... Stream of TCP packets Request for /index.html Status OK plus data SYN SYN ACK ACK ACK ACK FIN FIN ... Web Server 5.6.7.8/80 Event connection_established(1.2.3.4/43215.6.7.8/80) TCP stream reassembly for originator Event http_request(1.2.3.4/43215.6.7.8/80, “GET”, “/index.html”) TCP stream reassembly for responder Event http_reply(1.2.3.4/43215.6.7.8/80, 200, “OK”, data) Event connection_finished(1.2.3.4/4321, 5.6.7.8/80) Guest Lecture, RWTH Aachen 14 Thursday, December 16, 2010
Event-Engine • Event-engine is written in C++ • Performs policy-neutral analysis • Turns low-level activity into high-level events • Examples: connection_established, http_request • Events are annotated <strong>with</strong> context (e.g., IP addresses, URL) • Contains analyzers for >30 protocols, including • ARP, IP, ICMP, TCP, UDP • DCE-RPC, DNS, FTP, Finger, Gnutella, HTTP, IRC, Ident, NCP, NFS, NTP, NetBIOS, POP3, Portmapper, RPC, Rsh, Rlogin, SMB, SMTP, SSH, SSL, SunRPC, Telnet • Analyzers generate ~300 types of events Guest Lecture, RWTH Aachen 15 Thursday, December 16, 2010
Page 1 and 2: High-Performance Intrusion Detectio
Page 3 and 4: System Philosophy • Bro has been
Page 5 and 6: Target Environments • Bro is spec
Page 7 and 8: Lawrence Berkeley National Lab •
Page 9 and 10: LBNL’s Bro Setup External 10G Tap
Page 11 and 12: LBNL’s Bro Setup External (ESNet)
Page 13 and 14: Activity Logs: Connections • One-
Page 15 and 16: Architecture Packets Network Guest
Page 17 and 18: Architecture Notification Detection
Page 19 and 20: Communication Architecture Bro A Br
Page 21 and 22: Event Model Web Client 1.2.3.4/4321
Page 23 and 24: Event Model Web Client 1.2.3.4/4321
Page 25: Event Model Web Client 1.2.3.4/4321
Page 29 and 30: Script Example: Tracking SSH Hosts
Page 31 and 32: Port-based Analysis • Bro has lot
Page 33 and 34: Dynamic Protocol Detection Web Clie
Page 41 and 42: Analyzer Trees IP TCP SMTP Interact
Page 43 and 44: High Performance with Concurrent Tr
Page 45 and 46: Internet Traffic: Connections #conn
Page 47 and 48: Internet Traffic: Connections #conn
Page 49 and 50: Outline 1. Overview of the Bro Netw
Page 51 and 52: Traffic Analysis Pipeline Packet An
Page 57 and 58: Building a Concurrent NIDS • Can
Page 59 and 60: Load-Balancer Approach NIDS 10Gbps
Page 61 and 62: External Packet Demultiplexer Demux
Page 63 and 64: The Bro Cluster There are a number
Page 65 and 66: Simulation of Packet Dispatcher !"#
Page 67 and 68: cFlow: A Production Load-Balancer
Page 69 and 70: UC Berkeley Cluster Monitored/gener
Page 71 and 72: UC Berkeley Cluster Monitored/gener
Page 73 and 74: Extensions 100GE(!) version is in p
Page 75 and 76: “Real” Multi-Core NIDS • Clus
Page 77 and 78:
Bro’s Architecture Notification S
Page 79 and 80:
Bro’s Architecture Notification D
Page 81 and 82:
Script Example: Matching URLs Task:
Page 83 and 84:
Script Example 3: Aggregated Task:
Page 85 and 86:
Parallel Event Scheduling Threaded
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Implementation of Multi-Core Bro
Page 95 and 96:
Script-Engine Performance So Far ..
Page 97 and 98:
Outline 1. Overview of the Bro Netw
Page 99 and 100:
Automating the Scoping • Scopes a
Page 101 and 102:
Software Development Support • Br
Page 103 and 104:
Conclusion Guest Lecture, RWTH Aach
Page 105 and 106:
Thanks for your attention. Robin So
Page 107 and 108:
Going Back in Time with the Time Ma
Page 109 and 110:
The Time Machine • The Time Machi
Page 111 and 112:
Query Interface • Interactive con
Page 113 and 114:
Augmenting Bro Alerts with Traffic
Page 115:
Multi-Core Bro Data Flow Main Threa
show all

High-Performance Intrusion Detection with the Open-Source Bro NIDS

Create successful ePaper yourself

Delete template?

Save as template?