Académique Documents
Professionnel Documents
Culture Documents
Bro
GGF
Typical Approach:
Firewall with “default deny” policy
Bro
GGF
1
1
LBNL approach:
IDS with Blocking Router
Internet
IDS
Bro
GGF
Number of TCP connection attempts per week, Jan 2000 to Aug 2004
400,000,000
350,000,000
150,000,000
100,000,000
50,000,000
0
1/1/2000
3/1/2000
5/1/2000
7/1/2000
9/1/2000
11/1/2000
1/1/2001
3/1/2001
5/1/2001
7/1/2001
9/1/2001
11/1/2001
1/1/2002
3/1/2002
5/1/2002
7/1/2002
9/1/2002
11/1/2002
1/1/2003
3/1/2003
5/1/2003
7/1/2003
9/1/2003
11/1/2003
1/1/2004
3/1/2004
5/1/2004
7/1/2004
Bro
GGF
2
2
LBNL Inbound (from Internet)
TCP Traffic
TCP connection attempts, scanning vs. legitimate as percent of total - Jan 2000 to Aug 2004
100%
90%
70%
60%
50%
40%
30%
20%
Scanning traffic
10%
0%
1/1/2000
3/1/2000
5/1/2000
7/1/2000
9/1/2000
11/1/2000
1/1/2001
3/1/2001
5/1/2001
7/1/2001
9/1/2001
11/1/2001
1/1/2002
3/1/2002
5/1/2002
7/1/2002
9/1/2002
11/1/2002
1/1/2003
3/1/2003
5/1/2003
7/1/2003
9/1/2003
11/1/2003
1/1/2004
3/1/2004
5/1/2004
7/1/2004
Bro
GGF
Bro
GGF
3
3
Bro Goals & Requirements
(1995)
• Ability to monitor traffic in a very high performance
environment
• Real-time detection and response
• Separation of mechanism from policy
• Ready extensibility of both mechanism and policy
• Resistant to evasion
Bro
GGF
4
4
How Bro Works
Packet Stream
Network
Bro
GGF
Event Event
Control Stream • “Event engine” distills filtered stream
into high-level, policy-neutral events
reflecting underlying network activity
Event Engine
– E.g. Connection-level:
Tcpdump Filtered Packet • connection attempt
Filter Stream • connection finished
– E.g. Application-level:
libpcap • ftp request
• http_reply
Packet Stream – E.g. Activity-level:
• login success
Network
Bro
GGF
5
5
How Bro Works
Event Engine
Tcpdump Filtered Packet
Filter Stream
libpcap
Packet Stream
Network
Bro
GGF
libpcap
Packet Stream
Network
Bro
GGF
6
6
Signature Engine
Bro
GGF
Examples of Bro’s
Contextual Signatures (“Rules”)
Bro
GGF
7
7
Bro as a Tool for Network
Analysis/Forensics
Bro
GGF
Bro
GGF
8
8
WU-FTP buffer overflow attack
Alarm:
Jan 21 01:31:56 ssl.hawera.de/1540 > obsidian/ftp #18 excessive
filename: 00000000000000000000000000000000..[495]..
Bro
GGF
9
9
Bro
GGF
Related Research
10
10
New Project: Shunting
External
Network
Control &
Analysis Traffic
Filter
GigE Bro
Router / Interface
FPGA
Internal
Network
Bro
GGF
Bro
GGF
11
11
Bro is a part of a
Overall Cyber Security Strategy
Incident Response
Virus Protection
Scanning
Firewall
Bro
Bro
GGF
Bro
GGF
12
12