the bro network security monitor · pdf filea framework for network traffic analysis. history...
TRANSCRIPT
![Page 1: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/1.jpg)
Broverview
The Bro Network Security Monitor
![Page 2: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/2.jpg)
2
Outline
![Page 3: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/3.jpg)
Philosophy and ArchitectureA framework for network traffic analysis.
2
Outline
![Page 4: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/4.jpg)
Philosophy and ArchitectureA framework for network traffic analysis.
HistoryFrom research to operations.
2
Outline
![Page 5: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/5.jpg)
Philosophy and ArchitectureA framework for network traffic analysis.
HistoryFrom research to operations.
ArchitectureComponents, logs, scripts, cluster.
2
Outline
![Page 6: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/6.jpg)
3
What is Bro?
![Page 7: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/7.jpg)
Packet Capture
3
What is Bro?
![Page 8: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/8.jpg)
Packet Capture
Traffic Inspection
3
What is Bro?
![Page 9: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/9.jpg)
Packet Capture
Traffic Inspection
Attack Detection
3
What is Bro?
![Page 10: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/10.jpg)
Packet Capture
Traffic Inspection
Attack Detection
Log RecordingNetFlow
syslog
3
What is Bro?
![Page 11: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/11.jpg)
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log RecordingNetFlow
syslog
3
What is Bro?
![Page 12: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/12.jpg)
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log RecordingNetFlow
syslog
3
What is Bro?
![Page 13: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/13.jpg)
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log RecordingNetFlow
syslog
FlexibilityAbstraction
Data Structures
3
What is Bro?
![Page 14: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/14.jpg)
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log Recording
“Domain-specific Python”NetFlow
syslog
FlexibilityAbstraction
Data Structures
3
What is Bro?
![Page 15: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/15.jpg)
Packet Capture
Traffic Inspection
Attack Detection
FlexibilityAbstraction
Data Structures
Log Recording
“Domain-specific Python”
Sum is more than the pieces
NetFlow
syslog
FlexibilityAbstraction
Data Structures
3
What is Bro?
![Page 16: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/16.jpg)
4
Philosophy
![Page 17: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/17.jpg)
Fundamentally different from other IDS.Reset your idea of an IDS before starting to use Bro.
4
Philosophy
![Page 18: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/18.jpg)
Fundamentally different from other IDS.Reset your idea of an IDS before starting to use Bro.
Real-time network analysis framework.Primarily an IDS, but many use it for general traffic analysis.
4
Philosophy
![Page 19: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/19.jpg)
Fundamentally different from other IDS.Reset your idea of an IDS before starting to use Bro.
Real-time network analysis framework.Primarily an IDS, but many use it for general traffic analysis.
Policy-neutral at the core.Can accommodate a range of detection approaches.
4
Philosophy
![Page 20: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/20.jpg)
Fundamentally different from other IDS.Reset your idea of an IDS before starting to use Bro.
Real-time network analysis framework.Primarily an IDS, but many use it for general traffic analysis.
Policy-neutral at the core.Can accommodate a range of detection approaches.
Highly stateful.Tracks extensive application-layer network state.
4
Philosophy
![Page 21: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/21.jpg)
Fundamentally different from other IDS.Reset your idea of an IDS before starting to use Bro.
Real-time network analysis framework.Primarily an IDS, but many use it for general traffic analysis.
Policy-neutral at the core.Can accommodate a range of detection approaches.
Highly stateful.Tracks extensive application-layer network state.
Supports forensics.Extensively logs what it sees.
4
Philosophy
![Page 22: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/22.jpg)
5
Target Audience
![Page 23: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/23.jpg)
Network-savvy users.Requires understanding of your network.
5
Target Audience
![Page 24: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/24.jpg)
Network-savvy users.Requires understanding of your network.
Unixy mindset.Command-line based, fully customizable.
5
Target Audience
![Page 25: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/25.jpg)
Network-savvy users.Requires understanding of your network.
Unixy mindset.Command-line based, fully customizable.
Large-scale environments.Effective also with liberal security policies.
5
Target Audience
![Page 26: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/26.jpg)
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011
6
Bro History
1995 20101996 2012
Vern writes 1st line of code
2013
![Page 27: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/27.jpg)
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011
6
Bro History
1995 20101996 2012
Vern writes 1st line of code
2013
Bro SDCI
v2.0New Scripts
v0.21st CHANGES
entry
v0.6RegExps
Login analysis
v0.8aX/0.9aXSSL/SMB
STABLE releasesBroLite
v1.1/v1.2when Stmt
Resource tuningBroccoli
DPD
v1.5BroControl
v0.7a90Profiling
State Mgmt
v1.4DHCP/BitTorrent
HTTP entitiesNetFlow
Bro Lite Deprecated
v1.0BinPAC
IRC/RPC analyzers64-bit support
Sane version numbers
v0.4HTTP analysisScan detectorIP fragments
Linux support
v0.7a175/0.8aX Signatures
SMTPIPv6 supportUser manual
v0.7a48Consistent CHANGES
v1.3Ctor expressions
GeoIPConn Compressor
0.8a37Communication
PersistenceNamespacesLog Rotation
LBNL starts using Bro
operationally
v2.1IPv6
Input Framew.
v2.2 (beta)File Analysis
Summary Stat.
![Page 28: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/28.jpg)
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011
6
Bro History
1995
USENIX PaperStepping Stone
Detector
AnonymizerActive MappingContext Signat.
TRWState Mgmt.
Independ. State
Host ContextTime Machine
Enterprise Traffic
BinPACDPD
2nd Path
Bro ClusterShunt
Autotuning
Parallel Prototype
20101996
Academic Publications
Input Framework
2012
Vern writes 1st line of code
2013
Bro SDCI
v2.0New Scripts
v0.21st CHANGES
entry
v0.6RegExps
Login analysis
v0.8aX/0.9aXSSL/SMB
STABLE releasesBroLite
v1.1/v1.2when Stmt
Resource tuningBroccoli
DPD
v1.5BroControl
v0.7a90Profiling
State Mgmt
v1.4DHCP/BitTorrent
HTTP entitiesNetFlow
Bro Lite Deprecated
v1.0BinPAC
IRC/RPC analyzers64-bit support
Sane version numbers
v0.4HTTP analysisScan detectorIP fragments
Linux support
v0.7a175/0.8aX Signatures
SMTPIPv6 supportUser manual
v0.7a48Consistent CHANGES
v1.3Ctor expressions
GeoIPConn Compressor
0.8a37Communication
PersistenceNamespacesLog Rotation
LBNL starts using Bro
operationally
v2.1IPv6
Input Framew.
v2.2 (beta)File Analysis
Summary Stat.
![Page 29: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/29.jpg)
“Who’s Using It?”
7
Installations across the USUniversities
Research LabsSupercomputer Centers
Fortune 50 Industry
Recent User MeetingsBro Workshop 2011 at NCSABro Exchange 2012 at NCARBro Exchange 2013 at NCSA
Each attended by about 50-90 operators from
from 30-50 organizations
ExamplesLawrence Berkeley National Lab
Indiana UniversityNational Center for Supercomputing Applications
National Center for Atmospheric Research
... and many more sites
Fully integrated into Security OnionPopular security-oriented Linux distribution
![Page 30: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/30.jpg)
Internal NetworkInternet
8
Deployment
![Page 31: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/31.jpg)
Tap
Bro
Internal NetworkInternet
8
Deployment
![Page 32: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/32.jpg)
Tap
Runs on commodity platforms.! Standard PCs & NICs.
Supports FreeBSD/Linux/OS X.
Bro
Internal NetworkInternet
8
Deployment
![Page 33: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/33.jpg)
9
Creating Visibility with Bro
![Page 34: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/34.jpg)
> bro -i en0 [ ... wait ...]> cat conn.log
9
Creating Visibility with Bro
![Page 35: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/35.jpg)
> bro -i en0 [ ... wait ...]> cat conn.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
9
Creating Visibility with Bro
![Page 36: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/36.jpg)
> bro -i en0 [ ... wait ...]> cat conn.log
> cat http.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
9
Creating Visibility with Bro
![Page 37: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/37.jpg)
> bro -i en0 [ ... wait ...]> cat conn.log
#fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...]1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.01144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.01144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0
> cat http.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
9
Creating Visibility with Bro
![Page 38: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/38.jpg)
> bro -i en0 [ ... wait ...]> cat conn.log
#fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...]1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.01144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.01144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0
> cat http.log
#fields ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration1144876741.1198 192.150.186.169 53115 82.94.237.218 80 tcp http 16.14929 1144876612.6063 192.150.186.169 53090 198.189.255.82 80 tcp http 4.437460 1144876596.5597 192.150.186.169 53051 193.203.227.129 80 tcp http 0.372440 1144876606.7789 192.150.186.169 53082 198.189.255.73 80 tcp http 0.597711 1144876741.4693 192.150.186.169 53116 82.94.237.218 80 tcp http 16.02667 1144876745.6102 192.150.186.169 53117 66.102.7.99 80 tcp http 1.004346 1144876605.6847 192.150.186.169 53075 207.151.118.143 80 tcp http 0.029663
9
Creating Visibility with Bro
#fields ts id.orig_h id.orig_p [...] host uri status_code user_agent [...]1144876741.6335 192.150.186.169 53116 docs.python.org /lib/lib.css 200 Mozilla/5.01144876742.1687 192.150.186.169 53116 docs.python.org /icons/previous.png 304 Mozilla/5.0 1144876741.2838 192.150.186.169 53115 docs.python.org /lib/lib.html 200 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/up.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/next.png 304 Mozilla/5.01144876742.3337 192.150.186.169 53116 docs.python.org /icons/contents.png 304 Mozilla/5.0 1144876742.3337 192.150.186.169 53116 docs.python.org /icons/modules.png 304 Mozilla/5.0 1144876742.3338 192.150.186.169 53116 docs.python.org /icons/index.png 304 Mozilla/5.0 1144876745.6144 192.150.186.169 53117 www.google.com / 200 Mozilla/5.0
![Page 39: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/39.jpg)
Network
Packets
10
Architecture
![Page 40: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/40.jpg)
Network
Event EngineProtocol Decoding
Events
Packets
10
Architecture
![Page 41: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/41.jpg)
Network
Event EngineProtocol Decoding
Policy Script InterpreterAnalysis Logic
Logs
Events
Packets
Notification
10
Architecture
![Page 42: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/42.jpg)
Network
Event EngineProtocol Decoding
Policy Script InterpreterAnalysis Logic
Logs
Events
Packets
Notification“User Interface”
10
Architecture
![Page 43: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/43.jpg)
Request for /index.html
Status OK plus data 5.6.7.8/80
Web Server
Web Client
1.2.3.4/4321
11
Event Model
![Page 44: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/44.jpg)
Request for /index.html
Status OK plus data 5.6.7.8/80
Web Server
Web Client
1.2.3.4/4321
......SYN SYN ACK ACK ACK ACK FIN FIN
Stream of TCP packets
11
Event Model
![Page 45: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/45.jpg)
Request for /index.html
Status OK plus data 5.6.7.8/80
Web Server
Web Client
1.2.3.4/4321
connection_established(1.2.3.4/4321⇒5.6.7.8/80)Event
......SYN SYN ACK ACK ACK ACK FIN FIN
Stream of TCP packets
11
Event Model
![Page 46: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/46.jpg)
Request for /index.html
Status OK plus data 5.6.7.8/80
Web Server
Web Client
1.2.3.4/4321
connection_established(1.2.3.4/4321⇒5.6.7.8/80)Event
TCP stream reassembly for originator
http_request(1.2.3.4/4321⇒5.6.7.8/80, “GET”, “/index.html”)Event
......SYN SYN ACK ACK ACK ACK FIN FIN
Stream of TCP packets
11
Event Model
![Page 47: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/47.jpg)
Request for /index.html
Status OK plus data 5.6.7.8/80
Web Server
Web Client
1.2.3.4/4321
connection_established(1.2.3.4/4321⇒5.6.7.8/80)Event
TCP stream reassembly for originator
http_request(1.2.3.4/4321⇒5.6.7.8/80, “GET”, “/index.html”)Event
TCP stream reassembly for responder
http_reply(1.2.3.4/4321⇒5.6.7.8/80, 200, “OK”, data)Event
......SYN SYN ACK ACK ACK ACK FIN FIN
Stream of TCP packets
11
Event Model
![Page 48: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/48.jpg)
Request for /index.html
Status OK plus data 5.6.7.8/80
Web Server
Web Client
1.2.3.4/4321
connection_established(1.2.3.4/4321⇒5.6.7.8/80)Event
TCP stream reassembly for originator
http_request(1.2.3.4/4321⇒5.6.7.8/80, “GET”, “/index.html”)Event
TCP stream reassembly for responder
http_reply(1.2.3.4/4321⇒5.6.7.8/80, 200, “OK”, data)Event
connection_finished(1.2.3.4/4321, 5.6.7.8/80)Event
......SYN SYN ACK ACK ACK ACK FIN FIN
Stream of TCP packets
11
Event Model
![Page 49: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/49.jpg)
Task: Report all Web requests for files called “passwd”.
12
Script Example: Matching URLs
![Page 50: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/50.jpg)
event http_request(c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version.{ if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm.}
Task: Report all Web requests for files called “passwd”.
12
Script Example: Matching URLs
![Page 51: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/51.jpg)
Bro Workshop 2011
Task: Count failed connection attempts per source address.
13
Script Example: Scan Detector
![Page 52: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/52.jpg)
Bro Workshop 2011
global attempts: table[addr] of count &default=0;
event connection_rejected(c: connection){ local source = c$id$orig_h; # Get source address. local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NOTICE(...); # Alarm.}
Task: Count failed connection attempts per source address.
13
Script Example: Scan Detector
![Page 53: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/53.jpg)
14
Distributed Scripts
![Page 54: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/54.jpg)
Bro comes with >10,000 lines of script code.Prewritten functionality that’s just loaded.
14
Distributed Scripts
![Page 55: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/55.jpg)
Bro comes with >10,000 lines of script code.Prewritten functionality that’s just loaded.
Scripts generate alarms and logs.Amendable to extensive customization and extension.
14
Distributed Scripts
![Page 56: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/56.jpg)
The Bro Network Security Monitor
Bro comes with support for ...
15
![Page 57: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/57.jpg)
The Bro Network Security Monitor
Bro comes with support for ...
Extract files from HTTP, SMTP, etc.
Extract/monitor SSL certificates.
Detect malware via Team Cymru's Malware Hash Registry.
Report vulnerable software versions on the network.
Detect popular web applications.
Detect SSH brute-forcing.
Notable external scripts:Bro module for Mandiant APT1 reportLucky 13 detector.ICSI SSL notary
15
![Page 58: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/58.jpg)
Tap
Bro
Internal NetworkInternet
capstats
16
Bro Ecosystem
![Page 59: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/59.jpg)
Tap
Bro
Internal NetworkInternet
capstats
BroControl
Control
User Interface
Output
16
Bro Ecosystem
![Page 60: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/60.jpg)
Tap
Bro
Internal NetworkInternet
capstats
Contributed Scripts
Functionality
BroControl
Control
User Interface
Output
16
Bro Ecosystem
![Page 61: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/61.jpg)
Tap
Bro
Internal NetworkInternet
capstats
Other BrosEventsState
Contributed Scripts
Functionality
BroControl
Control
User Interface
Output
16
Bro Ecosystem
![Page 62: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/62.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
Other BrosEventsState
Contributed Scripts
Functionality
BroControl
Control
User Interface
Output
16
Bro Ecosystem
![Page 63: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/63.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
Other BrosEventsState
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
BroControl
Control
User Interface
Output
16
Bro Ecosystem
![Page 64: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/64.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
Other BrosEventsState
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
16
Bro Ecosystem
![Page 65: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/65.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
Other BrosEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
16
Bro Ecosystem
![Page 66: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/66.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
Other BrosEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
http:://www.bro-ids.org/download
git://git.bro-ids.org
16
Bro Ecosystem
![Page 67: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/67.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
Other BrosEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
http:://www.bro-ids.org/download
git://git.bro-ids.org
Bro Distribution
bro-2.1.tar.gz
16
Bro Ecosystem
![Page 68: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/68.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
External BroEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
17
Bro Cluster Ecosystem
![Page 69: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/69.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
External BroEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
17
Bro Cluster Ecosystem
![Page 70: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/70.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
External BroEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
17
Bro Cluster Ecosystem
Load-Balancer
![Page 71: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/71.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
External BroEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
17
Bro Cluster Ecosystem
Bro Bro Bro Bro
Packets
Load-Balancer
![Page 72: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/72.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
External BroEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
17
Bro Cluster Ecosystem
Bro Bro Bro Bro
Packets
Load-Balancer
BroControl
Control Output
User Interface
![Page 73: The Bro Network Security Monitor · PDF fileA framework for network traffic analysis. History From research ... Fully integrated into Security Onion Popular security-oriented Linux](https://reader038.vdocument.in/reader038/viewer/2022110111/5aab7f937f8b9a9c2e8bfacf/html5/thumbnails/73.jpg)
Tap
Bro
Internal NetworkInternet
Bro Client Communication Library
Broccoli
Events
capstats
External BroEventsState
BTest
BinPAC capstats
trace-summary
bro-aux
Broccoli Ruby
Broccoli Python
(Broccoli Perl)
Contributed Scripts
Functionality
Time Machine
Tap
BroControl
Control
User Interface
Output
17
Bro Cluster Ecosystem
Bro Bro Bro Bro
Packets
Load-Balancer
BroControl
Control Output
User Interface
“Workers”
“Manager”
“Frontend”