Bro: A System for Detecting network Intruders in Real-TimeVern Paxson

Klevis Luli

Overview

What is an IDS? Introduction to Bro Background & Related work How it works The Bro language Design Decisions Attacks on the monitor Experience & Future Improvement

What is an IDS?

Intrusion Detection System or Network Intrusion detection System

Real-time monitoringo Detect attacks as they happen

Provide valuable information about:o Successful attackso Attack attempts

Passive: monitors and reports Active (IPS): employs additional measures to stop attack Good place to put: Perimeter network (DMZ)

Introduction to Bro

An open source IDS that passively monitors network traffic and analyzes it in real time by using deep packet inspection techniqueso Inspects the data portion of packets for certain patterns

Goals:o High speed, large volume monitoringo Real-time notificationso Separate mechanism and policyo Extensibilityo No packet dropso Protect itself against most attacks

Background & Related Work

Commercial IDS that do the same Related work:

o Earlier version of this papero Paper from Ptacek and Newsham that focuses on attack methodso No background literature for how monitors (IDS) are built

This paper described how it is designed and categorizes attacks against monitors in a different way

How it works

Captures network traffic using libpcap Filters relevant network traffic at kernel level to reduce loado Applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogino IP fragmentso TCP packets with SYN,FIN, or RST control bits set(connection information

such as time, duration, hosts, ports..) Has an “event-engine”:o Does Integrity checks, reassembles IP datagrams, processes UDP\TCP,

creates a state for each connection, generates events And a “policy script interpreter”:

o Interprets policy scripts (event handlers) o Event queue processed according to policy scriptso Policies written in Bro language

How it works

• Packet processing is done layer by layer, starting from the network to the policy script interpreter

• If integrity checks at event engine fail a new event is generated and the packets are dropped

• Policy scripts interpreter generates every event until queue is empty or timer expired

• Notification is done by including generating new events, logging real-time notifications using syslog, recording data to disk…

The Bro Language

Data types:o bool, int, count (unsigned int), double, string, time, interval, port, addr,

record, set, table, file, list, patterns o Patterns are regular expressions used for matchingo Operators: C-like, in, !in

Examples:filename in /rootkit-1\.[5-8]/const allowed_services: set[addr, port] = {

[ftp.lbl.gov, [ftp, smtp, ident, 20/tcp]],[nntp.lbl.gov, nntp]};

if ( [ftp.lbl.gov, ftp] in allowed_services )... it's okay ...

Design Decisions

Built in C++ Single threaded

To avoid race conditions and blocks when waiting for resources (such as DNS lookups)

Uses “calendar queues” to manage thousands timers, insert and delete operations completed at O (1) time

Implemented their own regular-expression matching library Higher performance

Offers more advanced pattern matching Policy scripts are interpreted

Causes considerable overhead

Attacks on the monitor

Overloado Send a lot of packets that will be filtered, generate events, or lead to

logging\recording to disk so that it fails to keep up with the network traffic it has to process, and then then attempt a network intrusion without being detected

o Mitigated with better hardware, and confidentiality of policy scripts (knowing which events require more work requires knowledge of scripts)

Crasho Make it run out of resources through vulnerabilities in source code or

generating a large amount of traffic that creates many states, and then proceeds with the intrusion.

o Bro checks if the engine is jammed, terminates the Bro process while logging reason and failure data, and executes a copy of tcpdump.

Attacks on the monitor

Subterfuge Hides the meaning of the traffic the monitor analyzes. Can never be detected if successful. Bro employs a lot of countermeasures against the most common of these

attacks. Scan detection

Detect port and address scans by keeping track of newly-attempted connections to distinct network addresses or ports.

Experience & Future Improvement

• Experience from 3 years:o 85 MB daily connection summaries, 40 real-time notificationso Many false positiveso Detects 4–5 address and port scans each day. o 150 incident reports filed o “split routing” is a problem.

• Future improvements:o Support for additional application protocolso Compiling Bro scriptso Distributing monitoring across multiple hosts in the networko Intrusion prevention abilities.

The future…

• Bro 2.0 just released• base/frameworks/cluster• base/frameworks/communication• base/frameworks/control• base/frameworks/dpd• base/frameworks/intel• base/frameworks/logging• base/frameworks/logging/postprocessors• base/frameworks/metrics• base/frameworks/notice• base/frameworks/packet-filter• base/frameworks/reporter

• base/frameworks/signatures• base/frameworks/software• base/protocols/conn• base/protocols/dns

• base/protocols/ftp• base/protocols/http• base/protocols/irc• base/protocols/smtp• base/protocols/ssh• base/protocols/ssl• base/protocols/syslog• Policy/integration/barnyard2• policy/tuning/defaults• policy/tuning

Thank you!