The Bro Intrusion Detection

1
The Bro Intrusion Detection

• Stephen Lau
• NERSC/LBNL
• November 20, 2003
• SC2003
• Phoenix, AZ

2
Bro

• High performance intrusion detection system
  developed at LBNL and ACRI
• Vern Paxson primary developer
• Based on operational experience with high
  performance networks
• Grew out of tools developed to optimize and
  analyze network traffic
• Bro Development Goals
• High speed network monitoring
• Low packet loss rate
• Mechanism separate from policy

3
Bro State Model

• Bro maintains and analyzes state
• Keeps track of all network connections
• Reacts to network behavior patterns
• Signature based systems
• i.e. Snort, RealSecure
• Matches patterns seen in network streams

4
Bro Structure

• Packet capture and filter
• Built on libpcap
• Event Engine
• Evaluates packets
• Maintains state of the network connections
• Generates events
• Policy Script Interpreter
• Executes scripts written in policy language

5
Bro Structure
Real Time Notification / Record to Disk
Policy Script
Policy Script Interpreter
Event Stream
Event Control
Event Engine
Filtered Packet Stream
tcpdump filter
libpcap
Packet Stream
Network
6
Bro Structure

• Real time processing
• Analysis of real time traffic
• Reaction to any significant events
• Traffic filtered to only interesting traffic
• Offline processing
• Bro capable of archiving network traffic
• Allows for more detailed analysis
• Less traffic is filtered

7
Real Time Processing

• Works in conjunction with border router to drop
  (shun) hosts at the border
• Capable of injecting RST packets into stream
• Code Red Worm instances
• SSH vulnerability exploits
• Establishes real time alerts based on policy

8
Offline Processing

• Detects stepping stones
• Compromised system used as a gateway
• Detects backdoors
• i.e. telnet servers on non-standard port
• Detects file sharing systems
• Gnutella, Napster, KaZaa

Network DMZ
External Attacker
Compromised Internal System
External Victim
Bro
9
Bro in Practical Use

• Primary IDS for LBNL/NERSC since 1996
• Primary IDS for SC00-03 conferences
• No specialized hardware needed
• Low cost allows for multiple deployment
• Requirements
• FreeBSD
• Intel platform
• Fiber tap
• Disk space to archive data

10
Defense in Depth

• Host Level
• Anti Virus Software
• Active Scanning
• Unused services
• disabled
• Process Accounting
• Encrypted Passwords

• Users / staff
• Staff Security Team
• Usage Agreements
• Periodic training
• Emails on key issues

• Internal Network
• Network Isolation
• Firewalls
• Subnet traffic
• filtering

11
Use of Bro Within NERSC
ESNet
Multiple Bro Systems

• Real Time Analysis
• Redundant Backup
• Test Box
• Bulk Traffic Recorder

Tapped Traffic
Network Traffic

Filtering Border Router
ACL Insertion
Multiple IDS

• Snort
• Bro Heavyweight Protocol Analysis
• Bro GRID / SSL Analysis

Tapped Traffic
Tapped Traffic

• Internal Traffic Bro Monitor
• Wireless Network Bro Monitor

NERSC
Wireless Network
12
Bro at NERSC

• 24/7 monitoring
• Tied into a paging system for on-call security
  person
• Bro checkpointed at set intervals
• Clears out orphaned sessions
• Allows for offline data analysis
• Data archiving
• Maintain traffic data for about 3 months
• Anything beyond that is subpoena bait
• Maintain network connection data forever

13
NERSC Network Traffic3 Week Period
14
Total NERSC Connections
15
Valid NERSC Connections
16
Practical Bro

• Automatic ACL injection has very low false
  positive rate
• At NERSC average about 1 every 6 months
• Reports generated whenever checkpointed
• Results from blocks and odd events
• Results from offline analyzer
• Backdoors and KaZaa traffic
• Takes some time to learn the traffic

17
What Do We See

• Usual stuff
• Lots and lots and lots and lots of scans
• Slow scans, flash scans, nmap, nessus, ISS
• Many worms and viruses
• Code Red, Nimda, etc...
• Lots of backscatter
• Fun stuff and stuff we really shouldnt see
• Broken TCP stacks
• Private network traffic (192.168.0.0, etc)
• Broken NATs
• Odd user behaviour
• Odd OS/application behaviour

18
Bro at SC03

• Bro primary IDS for SC conference since SC00
• Used to monitor SCinet traffic
• Maximum observed bandwidth
• 16.8Gbps at SC2002 (Bandwidth Challenge)
• Used router hardware BPF
• Passive monitoring only
• Automatic countermeasures disabled

19
Bro at SC03

• IDS for SCinet
• Ensure conference network does not get taken down
  by attacks
• Detect 0wned systems
• Monitor for odd behavior
• Educational tool for attendees
• Password capture and display
• Alert exhibitors to risky behavior
• i.e. .rhosts with root enabled

20
SCinet Bro Infrastructure
21
Bro Future Directions

• Grid related technologies
• Ability to detect Grid related protocols
• X.509 Certificate Analyzer
• SSL Analyzer
• Verify certificates are legitimate
• Router Shunting
• Primary bottleneck in moving packets into user
  space
• Leverage router based hardware filtering to
  analyze packets of interest
• Proof of concept demo at SC01-03
• Utilizing Bro and Juniper router
• Hardware based BPF to filter traffic

22
Port Mirroring
External Network
Mirrored Traffic
Juniper
GigE Interface
Bro
Internal Network
23
Filter-based Forwarding
External Network

Filtered Traffic

Bro
GigE Interface
Filter
Juniper
Internal Network
24
Contact Information

• Stephen Lau
• 1 Cyclotron Road, M/S 943
• Berkeley, CA 94720
• Phone 1 (510) 486-7178
• Email slau_at_lbl.gov
• PGP 44C8 C9CB C15E 2AE1 7B0A
• 544E 9A04 AB2B F63F 748B