Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli Overview What is an IDS? Introduction to Bro Background & Related work How it works The Bro language Design Decisions Attacks on the monitor Experience & Future Improvement What is an IDS? Intrusion Detection System or Network Intrusion detection System Real-time monitoring o Detect attacks as they happen Provide valuable information about: o Successful attacks o Attack attempts Passive: monitors and reports Active (IPS): employs additional measures to stop attack Good place to put: Perimeter network (DMZ) Introduction to Bro An open source IDS that passively monitors network traffic and analyzes it in real time by using deep packet inspection techniques o Inspects the data portion of packets for certain patterns Goals: o High speed, large volume monitoring o Real-time notifications o Separate mechanism and policy o Extensibility o No packet drops o Protect itself against most attacks Background & Related Work Commercial IDS that do the same Related work: o Earlier version of this paper o Paper from Ptacek and Newsham that focuses on attack methods o No background literature for how monitors (IDS) are built This paper described how it is designed and categorizes attacks against monitors in a different way How it works Captures network traffic using libpcap Filters relevant network traffic at kernel level to reduce load o Applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogin o IP fragments o TCP packets with SYN,FIN, or RST control bits set(connection information such as time, duration, hosts, ports..) Has an “event-engine”: o Does Integrity checks, reassembles IP datagrams, processes UDP\TCP, creates a state for each connection, generates events And a “policy script interpreter”: o Interprets policy scripts (event handlers) o Event queue processed according to policy scripts o Policies written in Bro language How it works • Packet processing is done layer by layer, starting from the network to the policy script interpreter • If integrity checks at event engine fail a new event is generated and the packets are dropped • Policy scripts interpreter generates every event until queue is empty or timer expired • Notification is done by including generating new events, logging realtime notifications using syslog, recording data to disk… The Bro Language Data types: o bool, int, count (unsigned int), double, string, time, interval, port, addr, record, set, table, file, list, patterns o Patterns are regular expressions used for matching o Operators: C-like, in, !in Examples: filename in /rootkit-1\.[5-8]/ const allowed_services: set[addr, port] = { [ftp.lbl.gov, [ftp, smtp, ident, 20/tcp]], [nntp.lbl.gov, nntp]}; if ( [ftp.lbl.gov, ftp] in allowed_services ) ... it's okay ... Design Decisions Built in C++ Single threaded To avoid race conditions and blocks when waiting for resources (such as DNS lookups) Uses “calendar queues” to manage thousands timers, insert and delete operations completed at O (1) time Implemented their own regular-expression matching library Higher performance Offers more advanced pattern matching Policy scripts are interpreted Causes considerable overhead Attacks on the monitor Overload o Send a lot of packets that will be filtered, generate events, or lead to logging\recording to disk so that it fails to keep up with the network traffic it has to process, and then then attempt a network intrusion without being detected o Mitigated with better hardware, and confidentiality of policy scripts (knowing which events require more work requires knowledge of scripts) Crash o Make it run out of resources through vulnerabilities in source code or generating a large amount of traffic that creates many states, and then proceeds with the intrusion. o Bro checks if the engine is jammed, terminates the Bro process while logging reason and failure data, and executes a copy of tcpdump. Attacks on the monitor Subterfuge Hides the meaning of the traffic the monitor analyzes. Can never be detected if successful. Bro employs a lot of countermeasures against the most common of these attacks. Scan detection Detect port and address scans by keeping track of newly-attempted connections to distinct network addresses or ports. Experience & Future Improvement • Experience from 3 years: o o o o 85 MB daily connection summaries, 40 real-time notifications Many false positives Detects 4–5 address and port scans each day. 150 incident reports filed o “split routing” is a problem. • Future improvements: o o o o Support for additional application protocols Compiling Bro scripts Distributing monitoring across multiple hosts in the network Intrusion prevention abilities. The future… • Bro 2.0 just released • base/frameworks/cluster • base/protocols/ftp • base/frameworks/communication • base/protocols/http • base/frameworks/control • base/protocols/irc • base/frameworks/dpd • base/protocols/smtp • base/frameworks/intel • base/protocols/ssh • base/frameworks/logging • base/protocols/ssl • base/frameworks/logging/postprocessors • base/protocols/syslog • base/frameworks/metrics • Policy/integration/barnyard2 • base/frameworks/notice • policy/tuning/defaults • base/frameworks/packet-filter • policy/tuning • base/frameworks/reporter • base/frameworks/signatures • base/frameworks/software • base/protocols/conn • base/protocols/dns Thank you!