High-Performance Intrusion Detection with the Open-Source Bro NIDS

More documents

Recommendations

Info

Expressing Policy • Custom, domain-specific language • Bro ships with 20K+ lines of script code • Default scripts detect attacks & log activity extensively • Language is • Procedural • Event-based • Strongly typed • Rich in types • Usual script-language types, such as tables and sets • Domain-specific types, such as addresses, ports, subnets • Supporting state management (expiration, timers, etc.) • Supporting communication with other Bro instances Guest Lecture, RWTH Aachen 18 Thursday, December 16, 2010
Port-based Analysis • Bro has lots of application-layer analyzers • But which protocol does a connection use? • Traditionally NIDS rely on ports • Port 80? Oh, that’s HTTP. • Obviously deficient in two ways • There’s non-HTTP traffic on port 80 (firewalls tend to open this port...) • There’s HTTP on ports other than port 80 • Particularly problematic for security monitoring • Want to know if somebody avoids the well-known port Guest Lecture, RWTH Aachen 19 Thursday, December 16, 2010
Page 1 and 2: High-Performance Intrusion Detectio
Page 3 and 4: System Philosophy • Bro has been
Page 5 and 6: Target Environments • Bro is spec
Page 7 and 8: Lawrence Berkeley National Lab •
Page 9 and 10: LBNL’s Bro Setup External 10G Tap
Page 11 and 12: LBNL’s Bro Setup External (ESNet)
Page 13 and 14: Activity Logs: Connections • One-
Page 15 and 16: Architecture Packets Network Guest
Page 17 and 18: Architecture Notification Detection
Page 19 and 20: Communication Architecture Bro A Br
Page 21 and 22: Event Model Web Client 1.2.3.4/4321
Page 27 and 28: Event-Engine • Event-engine is wr
Page 29: Script Example: Tracking SSH Hosts
Page 33 and 34: Dynamic Protocol Detection Web Clie
Page 41 and 42: Analyzer Trees IP TCP SMTP Interact
Page 43 and 44: High Performance with Concurrent Tr
Page 45 and 46: Internet Traffic: Connections #conn
Page 47 and 48: Internet Traffic: Connections #conn
Page 49 and 50: Outline 1. Overview of the Bro Netw
Page 51 and 52: Traffic Analysis Pipeline Packet An
Page 57 and 58: Building a Concurrent NIDS • Can
Page 59 and 60: Load-Balancer Approach NIDS 10Gbps
Page 61 and 62: External Packet Demultiplexer Demux
Page 63 and 64: The Bro Cluster There are a number
Page 65 and 66: Simulation of Packet Dispatcher !"#
Page 67 and 68: cFlow: A Production Load-Balancer
Page 69 and 70: UC Berkeley Cluster Monitored/gener
Page 71 and 72: UC Berkeley Cluster Monitored/gener
Page 73 and 74: Extensions 100GE(!) version is in p
Page 75 and 76: “Real” Multi-Core NIDS • Clus
Page 77 and 78: Bro’s Architecture Notification S
Page 79 and 80: Bro’s Architecture Notification D
Page 81 and 82:
Script Example: Matching URLs Task:
Page 83 and 84:
Script Example 3: Aggregated Task:
Page 85 and 86:
Parallel Event Scheduling Threaded
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Implementation of Multi-Core Bro
Page 95 and 96:
Script-Engine Performance So Far ..
Page 97 and 98:
Outline 1. Overview of the Bro Netw
Page 99 and 100:
Automating the Scoping • Scopes a
Page 101 and 102:
Software Development Support • Br
Page 103 and 104:
Conclusion Guest Lecture, RWTH Aach
Page 105 and 106:
Thanks for your attention. Robin So
Page 107 and 108:
Going Back in Time with the Time Ma
Page 109 and 110:
The Time Machine • The Time Machi
Page 111 and 112:
Query Interface • Interactive con
Page 113 and 114:
Augmenting Bro Alerts with Traffic
Page 115:
Multi-Core Bro Data Flow Main Threa
show all

High-Performance Intrusion Detection with the Open-Source Bro NIDS

Create successful ePaper yourself

Delete template?

Save as template?