High-Performance Intrusion Detection with the Open-Source Bro NIDS

More documents

Recommendations

Info

Dynamic Protocol <strong>Detection</strong> Web Client Request for /index.html Web Server 1.2.3.4/4321 5.6.7.8/80 Port 80? Method Path Version Header HTTP GET /index.html HTTP/1.1\nServer: ... http_request Guest Lecture, RWTH Aachen 20 Thursday, December 16, 2010
Dynamic Protocol <strong>Detection</strong> Web Client Request for /index.html Web Server 1.2.3.4/4321 5.6.7.8/80 Port 80? HTTP Method Path Version Header GET /index.html HTTP/1.1\nServer: ... If it parses right http_request Guest Lecture, RWTH Aachen 20 Thursday, December 16, 2010
Page 1 and 2: High-Performance Intrusion Detectio
Page 3 and 4: System Philosophy • Bro has been
Page 5 and 6: Target Environments • Bro is spec
Page 7 and 8: Lawrence Berkeley National Lab •
Page 9 and 10: LBNL’s Bro Setup External 10G Tap
Page 11 and 12: LBNL’s Bro Setup External (ESNet)
Page 13 and 14: Activity Logs: Connections • One-
Page 15 and 16: Architecture Packets Network Guest
Page 17 and 18: Architecture Notification Detection
Page 19 and 20: Communication Architecture Bro A Br
Page 21 and 22: Event Model Web Client 1.2.3.4/4321
Page 27 and 28: Event-Engine • Event-engine is wr
Page 29 and 30: Script Example: Tracking SSH Hosts
Page 31 and 32: Port-based Analysis • Bro has lot
Page 33: Dynamic Protocol Detection Web Clie
Page 37 and 38: Dynamic Protocol Detection Web Clie
Page 39 and 40: Dynamic Protocol Detection Web Clie
Page 41 and 42: Analyzer Trees IP TCP SMTP Interact
Page 43 and 44: High Performance with Concurrent Tr
Page 45 and 46: Internet Traffic: Connections #conn
Page 47 and 48: Internet Traffic: Connections #conn
Page 49 and 50: Outline 1. Overview of the Bro Netw
Page 51 and 52: Traffic Analysis Pipeline Packet An
Page 57 and 58: Building a Concurrent NIDS • Can
Page 59 and 60: Load-Balancer Approach NIDS 10Gbps
Page 61 and 62: External Packet Demultiplexer Demux
Page 63 and 64: The Bro Cluster There are a number
Page 65 and 66: Simulation of Packet Dispatcher !"#
Page 67 and 68: cFlow: A Production Load-Balancer
Page 69 and 70: UC Berkeley Cluster Monitored/gener
Page 71 and 72: UC Berkeley Cluster Monitored/gener
Page 73 and 74: Extensions 100GE(!) version is in p
Page 75 and 76: “Real” Multi-Core NIDS • Clus
Page 77 and 78: Bro’s Architecture Notification S
Page 79 and 80: Bro’s Architecture Notification D
Page 81 and 82: Script Example: Matching URLs Task:
Page 83 and 84: Script Example 3: Aggregated Task:
Page 85 and 86:
Parallel Event Scheduling Threaded
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Implementation of Multi-Core Bro
Page 95 and 96:
Script-Engine Performance So Far ..
Page 97 and 98:
Outline 1. Overview of the Bro Netw
Page 99 and 100:
Automating the Scoping • Scopes a
Page 101 and 102:
Software Development Support • Br
Page 103 and 104:
Conclusion Guest Lecture, RWTH Aach
Page 105 and 106:
Thanks for your attention. Robin So
Page 107 and 108:
Going Back in Time with the Time Ma
Page 109 and 110:
The Time Machine • The Time Machi
Page 111 and 112:
Query Interface • Interactive con
Page 113 and 114:
Augmenting Bro Alerts with Traffic
Page 115:
Multi-Core Bro Data Flow Main Threa
show all

High-Performance Intrusion Detection with the Open-Source Bro NIDS

Create successful ePaper yourself

Delete template?

Save as template?