Upload
loren-mclaughlin
View
214
Download
0
Embed Size (px)
Citation preview
Bro: A System for Detecting network Intruders in Real-TimeVern Paxson
Klevis Luli
Overview
What is an IDS? Introduction to Bro Background & Related work How it works The Bro language Design Decisions Attacks on the monitor Experience & Future Improvement
What is an IDS?
Intrusion Detection System or Network Intrusion detection System
Real-time monitoringo Detect attacks as they happen
Provide valuable information about:o Successful attackso Attack attempts
Passive: monitors and reports Active (IPS): employs additional measures to stop attack Good place to put: Perimeter network (DMZ)
Introduction to Bro
An open source IDS that passively monitors network traffic and analyzes it in real time by using deep packet inspection techniqueso Inspects the data portion of packets for certain patterns
Goals:o High speed, large volume monitoringo Real-time notificationso Separate mechanism and policyo Extensibilityo No packet dropso Protect itself against most attacks
Background & Related Work
Commercial IDS that do the same Related work:
o Earlier version of this papero Paper from Ptacek and Newsham that focuses on attack methodso No background literature for how monitors (IDS) are built
This paper described how it is designed and categorizes attacks against monitors in a different way
How it works
Captures network traffic using libpcap Filters relevant network traffic at kernel level to reduce loado Applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogino IP fragmentso TCP packets with SYN,FIN, or RST control bits set(connection information
such as time, duration, hosts, ports..) Has an “event-engine”:o Does Integrity checks, reassembles IP datagrams, processes UDP\TCP,
creates a state for each connection, generates events And a “policy script interpreter”:
o Interprets policy scripts (event handlers) o Event queue processed according to policy scriptso Policies written in Bro language
How it works
• Packet processing is done layer by layer, starting from the network to the policy script interpreter
• If integrity checks at event engine fail a new event is generated and the packets are dropped
• Policy scripts interpreter generates every event until queue is empty or timer expired
• Notification is done by including generating new events, logging real-time notifications using syslog, recording data to disk…
The Bro Language
Data types:o bool, int, count (unsigned int), double, string, time, interval, port, addr,
record, set, table, file, list, patterns o Patterns are regular expressions used for matchingo Operators: C-like, in, !in
Examples:filename in /rootkit-1\.[5-8]/const allowed_services: set[addr, port] = {
[ftp.lbl.gov, [ftp, smtp, ident, 20/tcp]],[nntp.lbl.gov, nntp]};
if ( [ftp.lbl.gov, ftp] in allowed_services )... it's okay ...
Design Decisions
Built in C++ Single threaded
To avoid race conditions and blocks when waiting for resources (such as DNS lookups)
Uses “calendar queues” to manage thousands timers, insert and delete operations completed at O (1) time
Implemented their own regular-expression matching library Higher performance
Offers more advanced pattern matching Policy scripts are interpreted
Causes considerable overhead
Attacks on the monitor
Overloado Send a lot of packets that will be filtered, generate events, or lead to
logging\recording to disk so that it fails to keep up with the network traffic it has to process, and then then attempt a network intrusion without being detected
o Mitigated with better hardware, and confidentiality of policy scripts (knowing which events require more work requires knowledge of scripts)
Crasho Make it run out of resources through vulnerabilities in source code or
generating a large amount of traffic that creates many states, and then proceeds with the intrusion.
o Bro checks if the engine is jammed, terminates the Bro process while logging reason and failure data, and executes a copy of tcpdump.
Attacks on the monitor
Subterfuge Hides the meaning of the traffic the monitor analyzes. Can never be detected if successful. Bro employs a lot of countermeasures against the most common of these
attacks. Scan detection
Detect port and address scans by keeping track of newly-attempted connections to distinct network addresses or ports.
Experience & Future Improvement
• Experience from 3 years:o 85 MB daily connection summaries, 40 real-time notificationso Many false positiveso Detects 4–5 address and port scans each day. o 150 incident reports filed o “split routing” is a problem.
• Future improvements:o Support for additional application protocolso Compiling Bro scriptso Distributing monitoring across multiple hosts in the networko Intrusion prevention abilities.
The future…
• Bro 2.0 just released• base/frameworks/cluster• base/frameworks/communication• base/frameworks/control• base/frameworks/dpd• base/frameworks/intel• base/frameworks/logging• base/frameworks/logging/postprocessors• base/frameworks/metrics• base/frameworks/notice• base/frameworks/packet-filter• base/frameworks/reporter
• base/frameworks/signatures• base/frameworks/software• base/protocols/conn• base/protocols/dns
• base/protocols/ftp• base/protocols/http• base/protocols/irc• base/protocols/smtp• base/protocols/ssh• base/protocols/ssl• base/protocols/syslog• Policy/integration/barnyard2• policy/tuning/defaults• policy/tuning
Thank you!