bro 2.0 and beyond · 2012. 2. 13. · v0.2 bro 2.0 1st changes entry v0.6 regexps login analysis...
TRANSCRIPT
![Page 1: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/1.jpg)
Dagstuhl 2012
Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl, 2012
Bro 2.0 and Beyond
The Bro Network Security Monitor
![Page 2: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/2.jpg)
2
![Page 3: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/3.jpg)
Dagstuhl 2012
Bro Introduction“Much different from the typical IDS you may know”
Hot off the Press: Bro 2.0Focus on operational deployment
Current Research ProjectsReal-time IntelligencePerformance for next-gen environments
3
Outline
![Page 4: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/4.jpg)
Dagstuhl 2012 4
What is Bro?
![Page 5: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/5.jpg)
Dagstuhl 2012
Packet Capture
4
What is Bro?
![Page 6: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/6.jpg)
Dagstuhl 2012
Packet Capture
Traffic Inspection
4
What is Bro?
![Page 7: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/7.jpg)
Dagstuhl 2012
Packet Capture
Traffic Inspection
Attack Detection
4
What is Bro?
![Page 8: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/8.jpg)
Dagstuhl 2012
Packet Capture
Traffic Inspection
Attack Detection
Log RecordingNetFlow
syslog
4
What is Bro?
![Page 9: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/9.jpg)
Dagstuhl 2012
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log RecordingNetFlow
syslog
4
What is Bro?
![Page 10: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/10.jpg)
Dagstuhl 2012
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log RecordingNetFlow
syslog
4
What is Bro?
![Page 11: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/11.jpg)
Dagstuhl 2012
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log RecordingNetFlow
syslog
FlexibilityAbstraction
Data Structures
4
What is Bro?
![Page 12: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/12.jpg)
Dagstuhl 2012
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log Recording
“Domain-specific Python”NetFlow
syslog
FlexibilityAbstraction
Data Structures
4
What is Bro?
![Page 13: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/13.jpg)
Dagstuhl 2012
Fundamentally different from other IDS.Reset your idea of an IDS before starting to use Bro.
Real-time network analysis framework.Primarily an IDS, but many use it for general traffic analysis.
Can accommodate a range of detection approaches.Policy-neutral at the core.
Highly stateful.Tracks extensive application-layer network state.
Supports forensics.Extensively logs what it sees.
5
Philosophy
![Page 14: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/14.jpg)
Dagstuhl 2012
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011
6
Bro History
1995 20101996
Vern writes 1st line of code
![Page 15: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/15.jpg)
Dagstuhl 2012
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011
6
Bro History
1995 20101996
Vern writes 1st line of code
LBNL starts using Bro
operationally
![Page 16: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/16.jpg)
Dagstuhl 2012
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011
6
Bro History
1995 20101996
Vern writes 1st line of code
Bro Waters
Bro 2.0v0.21st CHANGES
entry
v0.6RegExps
Login analysis
v0.8aX/0.9aXSSL/SMB
STABLE releasesBroLite
v1.1/v1.2when StmtResource
tuningBroccoli
DPD
v1.5BroControl
v0.7a90Profiling
State Mgmt
v1.4DHCP/BitTorrent
HTTP entitiesNetFlow
Bro Lite Deprecated
v1.0BinPAC
IRC/RPC analyzers64-bit supportSane version
numbers
v0.4HTTP analysisScan detectorIP fragmentsLinux support
v0.7a175/0.8aX Signatures
SMTPIPv6 supportUser manual
v0.7a48Consistent CHANGES
v1.3Ctor expressions
GeoIPConn Compressor
0.8a37Communication
PersistenceNamespacesLog Rotation
LBNL starts using Bro
operationally
![Page 17: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/17.jpg)
Dagstuhl 2012
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011
6
Bro History
1995
USENIX PaperStepping Stone
Detector
AnonymizerActive MappingContext Signat.
TRWState Mgmt.
Independ. State
Host ContextTime Machine
Enterprise Traffic
BinPACDPD
2nd Path
Bro ClusterShunt
Autotuning
Parallel Prototype
20101996
Vern writes 1st line of code
Bro Waters
Bro 2.0v0.21st CHANGES
entry
v0.6RegExps
Login analysis
v0.8aX/0.9aXSSL/SMB
STABLE releasesBroLite
v1.1/v1.2when StmtResource
tuningBroccoli
DPD
v1.5BroControl
v0.7a90Profiling
State Mgmt
v1.4DHCP/BitTorrent
HTTP entitiesNetFlow
Bro Lite Deprecated
v1.0BinPAC
IRC/RPC analyzers64-bit supportSane version
numbers
v0.4HTTP analysisScan detectorIP fragmentsLinux support
v0.7a175/0.8aX Signatures
SMTPIPv6 supportUser manual
v0.7a48Consistent CHANGES
v1.3Ctor expressions
GeoIPConn Compressor
0.8a37Communication
PersistenceNamespacesLog Rotation
LBNL starts using Bro
operationally
Academic Publications
![Page 18: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/18.jpg)
Dagstuhl 2012
“Who’s Using It?”
7
![Page 19: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/19.jpg)
Dagstuhl 2012 8
Example Logs
![Page 20: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/20.jpg)
Dagstuhl 2012
> bro -i en0 [ ... wait ...]> cat conn.log
8
Example Logs
![Page 21: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/21.jpg)
Dagstuhl 2012
> bro -i en0 [ ... wait ...]> cat conn.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
8
Example Logs
![Page 22: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/22.jpg)
Dagstuhl 2012
> bro -i en0 [ ... wait ...]> cat conn.log
> cat http.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
8
Example Logs
![Page 23: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/23.jpg)
Dagstuhl 2012
> bro -i en0 [ ... wait ...]> cat conn.log
#fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...]1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.01144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.01144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0
> cat http.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
8
Example Logs
![Page 24: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/24.jpg)
Dagstuhl 2012
> bro -i en0 [ ... wait ...]> cat conn.log
#fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...]1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.01144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.01144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0
> cat http.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
8
Example Logs
#fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...]1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.01144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.01144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0
![Page 25: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/25.jpg)
Dagstuhl 2012
Task: Report all Web requests for files called “passwd”.
9
Script Example: Matching URLs
![Page 26: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/26.jpg)
Dagstuhl 2012
event http_request(c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version.{ if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm.}
Task: Report all Web requests for files called “passwd”.
9
Script Example: Matching URLs
![Page 27: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/27.jpg)
Dagstuhl 2012
Task: Count failed connection attempts per source address.
10
Script Example: Scan Detector
![Page 28: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/28.jpg)
Dagstuhl 2012
global attempts: table[addr] of count &default=0;
event connection_rejected(c: connection){ local source = c$id$orig_h; # Get source address. local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NOTICE(...); # Alarm.}
Task: Count failed connection attempts per source address.
10
Script Example: Scan Detector
![Page 29: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/29.jpg)
Dagstuhl 2012 11
Distributed Scripts
![Page 30: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/30.jpg)
Dagstuhl 2012
Bro comes with >10,000 lines of script code.Prewritten functionality that’s just loaded.
Scripts also generate the logs.Amendable to extensive customization and extension.
11
Distributed Scripts
![Page 31: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/31.jpg)
Dagstuhl 2012
Version 2.0
12
![Page 32: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/32.jpg)
Dagstuhl 2012
Version 2.0
12
Default scripts rewritten from scratch.Focus ease of use and operational deployment.
New logging infrastructure.New build and packaging system.New auto-documentation system (Broxygen).Lots of bugs fixed.Obsolete code removed.
New development infrastructure.New regression testing framework.New web server.New mailing lists.New logo.
![Page 33: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/33.jpg)
Dagstuhl 2012
Upcoming
13
![Page 34: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/34.jpg)
Dagstuhl 2012
Upcoming
Bro 2.1
Overhauled IPv6 support.New user’s guide.Logging extensions.
Binary logging/Postgresql/CouchDB/SQLite(?) / Threads.
Input framework.Reaction framework.New/improved analyzers.
Syslog/GridFTP/NFS/SMB/BitTorrent.
Extended test-suite.
13
Aiming for 3-4 months release cycle.
![Page 35: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/35.jpg)
Dagstuhl 2012
Current ResearchReal-Time Intelligence
14
![Page 36: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/36.jpg)
Dagstuhl 2012
REN-ISAC’s Security Event System
15
Source: REN-ISAC
![Page 37: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/37.jpg)
Dagstuhl 2012
Argonne Federated Model
16
Source: Argonne National Lab
![Page 38: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/38.jpg)
Dagstuhl 2012
Real-time Intelligence with Bro
17
![Page 39: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/39.jpg)
Dagstuhl 2012
Real-time Intelligence with Bro
17
Bro Policy Script
Output Framework
ASCIIBinary
DBs
Python
![Page 40: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/40.jpg)
Dagstuhl 2012
Real-time Intelligence with Bro
17
Bro Policy Script
Output Framework
ASCII
External Partners
BinaryDBs
Python
![Page 41: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/41.jpg)
Dagstuhl 2012
Real-time Intelligence with Bro
17
Bro Policy Script
Output Framework
ASCII
Input Framework
External Partners
ASCIIBinary
DBs
BinaryDBs
Python
Python
![Page 42: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/42.jpg)
Dagstuhl 2012
Real-time Intelligence with Bro
17
Bro Policy Script
Output Framework
ASCII
Input Framework
External Partners
ASCIIBinary
DBs
BinaryDBs
Python
Python
Research QuestionsWhat capabilities does the new context give us?
What is the quality of the shared information?Do sites see the similar attacks?
![Page 43: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/43.jpg)
Dagstuhl 2012
Current ResearchPerformance
18
![Page 44: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/44.jpg)
Dagstuhl 2012
Back in 2005 ...
19
![Page 45: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/45.jpg)
Dagstuhl 2012
Back in 2005 ...
19
Data: Leibniz-Rechenzentrum, München
020
4060
80
TByt
es/m
onth
1997 1998 1999 2000 2001 2002 2003 2004 2005
Total bytesIncoming bytes
Total upstream bytesIncoming bytes
Munich Scientific Network (Today)3 major universities, 2x10GE upstream~100,000 Users~65,000 Hosts
![Page 46: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/46.jpg)
Dagstuhl 2012
020
040
060
080
0
TByt
es/m
onth
1996 1998 2000 2002 2004 2006 2008 2010
Total bytesIncoming bytes
Oct 2005
Today ...
20
Total upstream bytesIncoming bytes
Data: Leibniz-Rechenzentrum, München
Munich Scientific Network3 major universities, 2x10GE upstream~100,000 Users~65,000 Hosts
![Page 47: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/47.jpg)
Dagstuhl 2012
Load-balancing Architecture
21
![Page 48: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/48.jpg)
Dagstuhl 2012
Load-balancing Architecture
21
Detection LogicPacket Analysis
NIDS
10Gbps
![Page 49: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/49.jpg)
Dagstuhl 2012
Load-balancing Architecture
21
10Gbps
Exte
rnal
Pac
ket L
oad-
Bala
ncer
Flows
Detection Logic
Packet Analysis
NIDS 2
Detection Logic
Packet Analysis
NIDS 1
Detection Logic
Packet Analysis
NIDS 3
![Page 50: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/50.jpg)
Dagstuhl 2012
Load-balancing Architecture
21
10Gbps
Exte
rnal
Pac
ket L
oad-
Bala
ncer
Flows
Detection Logic
Packet Analysis
NIDS 2
Detection Logic
Packet Analysis
NIDS 1
Detection Logic
Packet Analysis
NIDS 3
Communication
Communication
![Page 51: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/51.jpg)
Dagstuhl 2012
Load-balancing Architecture
21
10Gbps
Exte
rnal
Pac
ket L
oad-
Bala
ncer
Flows
“Bro Cluster”
Detection Logic
Packet Analysis
NIDS 2
Detection Logic
Packet Analysis
NIDS 1
Detection Logic
Packet Analysis
NIDS 3
Communication
Communication
![Page 52: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/52.jpg)
Dagstuhl 2012
cPacket’s cFlow 10G
22
![Page 53: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/53.jpg)
Dagstuhl 2012
cPacket’s cFlow 10G
22
![Page 54: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/54.jpg)
Dagstuhl 2012
Next Stop: 100 Gb/s
23
Source: ESNet
Now these sites need a monitoring solution ... Working with cPacket on a 100GE load-balancer!
Source: ESNet
DOE/ESNet 100G Advanced Networking Initiative
![Page 55: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/55.jpg)
Dagstuhl 2012
100 Gb/s Load-balancer
![Page 56: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/56.jpg)
Dagstuhl 2012
100 Gb/s Load-balancer
100Gbps cFlow 100G
10Gb/s
Bro Cluster
![Page 57: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/57.jpg)
Dagstuhl 2012
100 Gb/s Load-balancer
100Gbps cFlow 100G
10Gb/s
Bro Cluster
API
Con
trol
![Page 58: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/58.jpg)
Dagstuhl 2012
Host Application
Application Core
C Interface
Stubs
Native Executable
Analysis Specification
Native Object Code
System Linker
Analysis Compiler
HILTI Machine Code
HILTI Compiler
Runtime Library
HILTI Machine Environment OS Toolchain
hilti-build
hiltic
Improving Bro’s Performance
25
A High-Level Intermediary Language for Traffic Inspection
![Page 59: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/59.jpg)
Dagstuhl 2012
Host Application
Application Core
C Interface
Stubs
Native Executable
Analysis Specification
Native Object Code
System Linker
Analysis Compiler
HILTI Machine Code
HILTI Compiler
Runtime Library
HILTI Machine Environment OS Toolchain
hilti-build
hiltic
Improving Bro’s PerformanceBottlenecks: Script interpretation & single-thread structure
25
A High-Level Intermediary Language for Traffic Inspection
![Page 60: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/60.jpg)
Dagstuhl 2012
Summary
26
![Page 61: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/61.jpg)
Dagstuhl 2012
Summary
27
www.bro-ids.orggit.bro-ids.org
tracker.bro-ids.org@Bro_IDS on Twitter
![Page 62: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/62.jpg)
Dagstuhl 2012
Summary
Bro 2.0 is a major step forward.From research to operations.Crucial engineering resources available.Aiming to setup a long-term development model.
27
www.bro-ids.orggit.bro-ids.org
tracker.bro-ids.org@Bro_IDS on Twitter
![Page 63: Bro 2.0 and Beyond · 2012. 2. 13. · v0.2 Bro 2.0 1st CHANGES entry v0.6 RegExps Login analysis v0.8aX/0.9aX SSL/SMB STABLE releases BroLite v1.1/v1.2 when Stmt Resource tuning](https://reader035.vdocument.in/reader035/viewer/2022071217/604a13f223e0dc180518d4a4/html5/thumbnails/63.jpg)
Dagstuhl 2012
Summary
Bro 2.0 is a major step forward.From research to operations.Crucial engineering resources available.Aiming to setup a long-term development model.
Bro remains a research platform.Real-time intelligencePerformance for next-gen environments
27
www.bro-ids.orggit.bro-ids.org
tracker.bro-ids.org@Bro_IDS on Twitter