Transcript Bro: A System for Detecting network Intruders in Real-Time

Bro: A System for Detecting network Intruders in Real-Time
Vern Paxson
Klevis Luli
Overview








What is an IDS?
Introduction to Bro
Background & Related work
How it works
The Bro language
Design Decisions
Attacks on the monitor
Experience & Future Improvement
What is an IDS?
 Intrusion Detection System or Network Intrusion detection
System
 Real-time monitoring
o Detect attacks as they happen
 Provide valuable information about:
o Successful attacks
o Attack attempts
 Passive: monitors and reports
 Active (IPS): employs additional measures to stop attack
 Good place to put: Perimeter network (DMZ)
Introduction to Bro
 An open source IDS that passively monitors network traffic and
analyzes it in real time by using deep packet inspection
techniques
o Inspects the data portion of packets for certain patterns
 Goals:
o High speed, large volume monitoring
o Real-time notifications
o Separate mechanism and policy
o Extensibility
o No packet drops
o Protect itself against most attacks
Background & Related Work
 Commercial IDS that do the same
 Related work:
o Earlier version of this paper
o Paper from Ptacek and Newsham that focuses on attack methods
o No background literature for how monitors (IDS) are built
 This paper described how it is designed and categorizes attacks
against monitors in a different way
How it works
 Captures network traffic using libpcap
 Filters relevant network traffic at kernel level to reduce load
o Applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogin
o IP fragments
o TCP packets with SYN,FIN, or RST control bits set(connection information
such as time, duration, hosts, ports..)
 Has an “event-engine”:
o Does Integrity checks, reassembles IP datagrams, processes UDP\TCP,
creates a state for each connection, generates events
 And a “policy script interpreter”:
o Interprets policy scripts (event handlers)
o Event queue processed according to policy scripts
o Policies written in Bro language
How it works
• Packet processing is done layer by
layer, starting from the network to
the policy script interpreter
• If integrity checks at event engine fail
a new event is generated and the
packets are dropped
• Policy scripts interpreter generates
every event until queue is empty or
timer expired
• Notification is done by including
generating new events, logging realtime notifications using syslog,
recording data to disk…
The Bro Language
 Data types:
o bool, int, count (unsigned int), double, string, time, interval, port, addr,
record, set, table, file, list, patterns
o Patterns are regular expressions used for matching
o Operators: C-like, in, !in
 Examples:
filename in /rootkit-1\.[5-8]/
const allowed_services: set[addr, port] = {
[ftp.lbl.gov, [ftp, smtp, ident, 20/tcp]],
[nntp.lbl.gov, nntp]};
if ( [ftp.lbl.gov, ftp] in allowed_services )
... it's okay ...
Design Decisions
 Built in C++
 Single threaded
 To avoid race conditions and blocks when waiting for resources (such as
DNS lookups)
 Uses “calendar queues” to manage thousands timers, insert
and delete operations completed at O (1) time
 Implemented their own regular-expression matching library
 Higher performance
 Offers more advanced pattern matching
 Policy scripts are interpreted
 Causes considerable overhead
Attacks on the monitor
 Overload
o Send a lot of packets that will be filtered, generate events, or lead to
logging\recording to disk so that it fails to keep up with the network
traffic it has to process, and then then attempt a network intrusion
without being detected
o Mitigated with better hardware, and confidentiality of policy scripts
(knowing which events require more work requires knowledge of
scripts)
 Crash
o Make it run out of resources through vulnerabilities in source code or
generating a large amount of traffic that creates many states, and then
proceeds with the intrusion.
o Bro checks if the engine is jammed, terminates the Bro process while
logging reason and failure data, and executes a copy of tcpdump.
Attacks on the monitor
 Subterfuge
 Hides the meaning of the traffic the monitor analyzes.
 Can never be detected if successful.
 Bro employs a lot of countermeasures against the most common of these
attacks.
 Scan detection
 Detect port and address scans by keeping track of newly-attempted
connections to distinct network addresses or ports.
Experience & Future Improvement
• Experience from 3 years:
o
o
o
o
85 MB daily connection summaries, 40 real-time notifications
Many false positives
Detects 4–5 address and port scans each day.
150 incident reports filed
o “split routing” is a problem.
• Future improvements:
o
o
o
o
Support for additional application protocols
Compiling Bro scripts
Distributing monitoring across multiple hosts in the network
Intrusion prevention abilities.
The future…
• Bro 2.0 just released
•
base/frameworks/cluster
•
base/protocols/ftp
•
base/frameworks/communication
•
base/protocols/http
•
base/frameworks/control
•
base/protocols/irc
•
base/frameworks/dpd
•
base/protocols/smtp
•
base/frameworks/intel
•
base/protocols/ssh
•
base/frameworks/logging
•
base/protocols/ssl
•
base/frameworks/logging/postprocessors
•
base/protocols/syslog
•
base/frameworks/metrics
•
Policy/integration/barnyard2
•
base/frameworks/notice
•
policy/tuning/defaults
•
base/frameworks/packet-filter
•
policy/tuning
•
base/frameworks/reporter
•
base/frameworks/signatures
•
base/frameworks/software
•
base/protocols/conn
•
base/protocols/dns
Thank you!