Transcription
What can the NSF Bro Center ofExcellence do for me?Adam SlagellNCSA CISO & CyberSec Div. DirectorAugust 17th, 2015National Center for Supercomputing ApplicationsUniversity of Illinois at Urbana–Champaign
The NSF Bro Center of Excellence Bro support for NSF projects & Higher- Ed Oct 2013 launch at Summit Development work for these communities E.g. SDN & Science DMZ is important to them (PACF) Research Can’t save 3 months of pcaps, run analysis live Outreach BroCon & NSF Cybersecurity Summit Partnering with CTSC & ESNet on projects 1- on- 1 engagements
Some communities engaged so far LIGOMississippi StateUC Santa CruzWashington University St.LouisUniversity of VirginiaNational Center forAtmospheric ResearchPenn StateU of UtahCornell UT Austin Rochester Institute ofTechnology UW Madison Clemson Indiana Ice Cube University of Idaho Washington County SchoolDistrict in Utah
Ask us to help with Troubleshooting & Optimizing Cluster setups & tap/agg aren’t easy CPU affinity and Hyper- threading? Planning & reviewing designs for NSM Where should I tap? What are pros/cons? How much hardware should I start with? Should I design for peak or average? So I installed it, now what? i.e., the rest of this talk Way more than an IDS
Did someone download malware? Does everyone know Team Cymru? They publish hashes of known, static malware. Do you know about Bro’s file analysis framework? You can combine the 2 to detect malware downloads. More in a demo from Justin shortly.
Lack endpoint management? Common university problem Web plugin whack- a- mole Check out the software.log sometime Use Bro to detect flash, Java, Acrobat versions Works really nicely with Splunk
Damn you encryption! Everything’s getting encrypted right? Not really, but still lots you can do Got private keys to your web service? Run custom SSHD binaries? Scott Campbell @ NERSC and iSSHD (in GSISSH now) What’s in that SSL.log? More from Johanna in a bit Some caveats
Spammers on your network Easy to detect spam relays What about spamming accounts? Lots of email expected from SMTP server anyway Bro can app layer analysis sumstats to the rescue! You can count how many emails sent and rate per user
Ugh, UDP So someone installed a new NTP server At one institution, networking updated routers, and all ofthem where part of an attack in minutes. Keeps coming back every time a new server is built withan old image. Trivial to detect with Bro though
Automate your whack- a- mole Want to know if someone is scanning you Or you them? Is someone brute- forcing SSHD? Block them! Tie Bro a black- hole router or SDN Check out Justin’s BHR code on github
Why not share? If you blocked it, maybe they want to too? We do this with campus, hoping to for XSEDE Intel framework can be used to import this Also with CIF for REN- ISAC and many other feeds Being used for a Science DMZ appliance we aredeveloping more generally If you want to pilot this with us, talk to me
Misconfiguration or policy violation Using outside DNS server Lot’s of nxdomain responses Wrong NTP server OS may default to foreign server (scale to cluster) Participation in an amplification attack due to poor config Hosting unapproved domains At least for HTTP
Configuration Management Did someone stick a new host on your network?Did a host reboot with a new service?You can whitelist or blacklist hosts/services on a networkYou could even start building profiles of hosts to take thisfurther
What’s the process look like? Contact us https://www.bro.org/nsf/ nsf@bro.org Setup a meeting Couple pre- meeting questions Send diagrams 1st if you have them Develop a plan and a timeline What do we want to accomplish? How long do we give this? How regularly do we meet?
The Bro Monitoring PlatformAdam SlagellNational Center for Supercomputing ApplicationsBorrowed from Robin SommerInternational Computer Science InstituteThe Bro Monitoring Platform
“What Is Bro?”The Bro Monitoring Platform2
“What Is Bro?”Packet CaptureThe Bro Monitoring Platform2
“What Is Bro?”Packet CaptureTraffic InspectionThe Bro Monitoring Platform2
“What Is Bro?”Packet CaptureTraffic InspectionAttack DetectionThe Bro Monitoring Platform2
“What Is Bro?”Packet CaptureTraffic InspectionAttack DetectionNetFlowLog RecordingsyslogThe Bro Monitoring Platform2
“What Is Bro?”Packet CaptureTraffic InspectionAttack DetectionNetFlowLog RecordingsyslogFlexibilityAbstractionData StructuresThe Bro Monitoring Platform2
“What Is Bro?”Packet CaptureTraffic InspectionAttack DetectionNetFlowLog RecordingsyslogFlexibilityAbstractionData StructuresThe Bro Monitoring Platform2
“What Is Bro?”Packet CaptureTraffic InspectionAttack DetectionNetFlowLog ta StructuresStructuresDataThe Bro Monitoring Platform2
“What Is Bro?”Packet CaptureTraffic InspectionAttack Detection“Domain-specific Python”NetFlowLog ta StructuresStructuresDataThe Bro Monitoring Platform2
Bro History1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013Vern writes 1stline of codeBro CenterThe Bro Monitoring Platform
Bro History1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013Vern writes 1stline of codev0.21st CHANGESentryv0.6RegExpsLogin analysisv0.7a90ProfilingState Mgmtv0.8aX/0.9aXSSL/SMBSTABLE releasesBroLiteLBNL startsusing Brooperationallyv0.7a175/0.8aXSignaturesSMTPIPv6 supportUser manualv0.4HTTP analysisScan detectorIP fragmentsLinux supportv0.7a48ConsistentCHANGESv1.1/v1.2when StmtResourcetuningBroccoliDPDv1.0BinPACIRC/RPC analyzers64-bit supportSane acesLog Rotationv1.5BroControlv2.0New ScriptsBro SDCIv1.4DHCP/BitTorrentHTTP entitiesNetFlowBro Lite Deprecatedv1.3Ctor expressionsGeoIPConn CompressorThe Bro Monitoring Platformv2.2File AnalysisSummary Stat.v2.1IPv6Input Framew.Bro Center
Bro HistoryHost ContextTime MachineEnterprise TrafficAcademicPublicationsTRWState Mgmt.Independ. StateUSENIX PaperAnonymizerActive MappingContext Signat.Stepping StoneDetectorBro ClusterShuntParallel PrototypeBinPACDPD2nd PathInput FrameworkAutotuning1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013Vern writes 1stline of codev0.21st CHANGESentryv0.6RegExpsLogin analysisv0.7a90ProfilingState Mgmtv0.8aX/0.9aXSSL/SMBSTABLE releasesBroLiteLBNL startsusing Brooperationallyv0.7a175/0.8aXSignaturesSMTPIPv6 supportUser manualv0.4HTTP analysisScan detectorIP fragmentsLinux supportv0.7a48ConsistentCHANGESv1.1/v1.2when StmtResourcetuningBroccoliDPDv1.0BinPACIRC/RPC analyzers64-bit supportSane acesLog Rotationv1.5BroControlv2.0New ScriptsBro SDCIv1.4DHCP/BitTorrentHTTP entitiesNetFlowBro Lite Deprecatedv1.3Ctor expressionsGeoIPConn CompressorThe Bro Monitoring Platformv2.2File AnalysisSummary Stat.v2.1IPv6Input Framew.Bro Center
“Who’s Using It?”Installations across the USUniversitiesResearch LabsSupercomputing CentersGovernment OrganizationsFortune 50 EnterprisesExamplesLawrence Berkeley National LabNational Center for Supercomputing ApplicationsIndiana UniversityGeneral ElectricMozilla Corporation. and many more sites I can’t talk about.Fully integrated into Security OnionPopular security-oriented Linux distributionBroCon 2014, Urbana, ILCommunity50/90/150/185 attendees at BroCon’12/’13/’14/‘15110 organizations at BroCon ‘14 4,000 Twitter followers 1000 mailing list subscribers 100 users average on IRC channel10,000 downloads / versionfrom 150 countriesThe NSF Bro Center of Expertise4
ArchitecturePacketsNetworkThe Bro Monitoring Platform5
ArchitectureEventsProtocol DecodingEvent EnginePacketsNetworkThe Bro Monitoring Platform5
ArchitectureLogsAnalysis LogicNotificationPolicy Script InterpreterEventsProtocol DecodingEvent EnginePacketsNetworkThe Bro Monitoring Platform5
ArchitectureLogsAnalysis LogicNotification“User Interface”Policy Script InterpreterEventsProtocol DecodingEvent EnginePacketsNetworkThe Bro Monitoring Platform5
TapThe Bro PlatformNetworkThe Bro Monitoring Platform6
TapPlatformThe Bro PlatformProgramming LanguageStandard LibraryPacket ProcessingNetworkThe Bro Monitoring Platform6
TapPlatformAppsThe Bro PlatformIntrusionDetectionVulnerabilit.MgmtFile AnalysisProgramming MonitoringStandard LibraryPacket ProcessingNetworkThe Bro Monitoring Platform6
TapPlatformAppsThe Bro PlatformIntrusionDetectionVulnerabilit.MgmtFile AnalysisProgramming LanguageTrafficMeasurementTrafficControlOpen SourceBSD LicenseComplianceMonitoringStandard LibraryPacket ProcessingNetworkThe Bro Monitoring Platform6
“What Can It Do?”Log FilesAlertsThe Bro Monitoring PlatformCustomLogic7
“What Can It Do?”Log FilesAlertsCustomLogic“Network Ground Truth”The Bro Monitoring Platform7
Bro Logs bro -i eth0[ wait ]The Bro Monitoring Platform8
Bro Logs bro -i eth0[ wait ] ls *.logapp pd.logfiles.logftp.loghttp.logirc.logknown certs.logknown hosts.logknown ures.logsmtp.logThe Bro Monitoring logtraceroute.logtunnel.logweird.log8
Bro Logs bro -i eth0[ wait ] cat conn.log#separator \x09#set separator ,#empty field(empty)#unset field#pathconn#open2013-04-28-23-47-26#fields tsuid#types timestring1258531221.486539 arKYeMETxOg1258531680.237254 nQcgTWjvg4c1258531693.816224 j4u32Pc5bif1258531635.800933 k6kgXLOoSKl1258531693.825212 TEfuqmmG4bh1258531803.872834 5OKnoww6xl41258531747.077012 FrJExwHcSal1258531924.321413 3PKsZ2Uye21[ ]id.orig 168.1.103id.orig pport68373713813813713868The Bro Monitoring Platformid.resp 8.1.1[ ][ ][ ][ ][ ][ ][ ][ ][ ][ ]8
Connections w6aid.orig h177.22.211.144id.orig pid.resp hid.resp 14936orig bytes9068resp bytes4450conn stateSFlocal origTmissed bytes0historyShAdDaFftunnel parents(empty)The Bro Monitoring PlatformTimestampUnique IDOriginator IPOriginator PortResponder IPResponder PortIP ProtocolApp-layer ProtocolDurationBytes by OriginatorBytes by ResponderTCP stateLocal Originator?GapsState HistoryOuter Tunnels9
lid.orig h17.22.7.4id.orig pid.resp hid.resp treferrer-user agentMozilla/4.0 (Windows; U) Pando/2.6.0.8status code200usernameanonymouspassword-orig mime typesapplication/xmlresp mime typesapplication/xmlThe Bro Monitoring Platform10
id.orig h2a07:f2c0:90:402:41e:c13:6cb:99cid.orig p40475id.resp h2406:fe60:f47::aaeb:98cid.resp p443versionTLSv10cipherTLS DHE RSA WITH AES 256 CBC SHAserver namenot valid beforewww.netflix.comCN www.netflix.com,OU Operations,O Netflix, Inc.,L Los Gatos,ST CALIFORNIA,C USCN VeriSign Class 3 Secure Server CA,OU VeriSign Trust Network,O VeriSign, C US1389859200.000000not valid after1452931199.000000client subject-client issuer subject-cert hash197cab7c6c92a0b9ac5f37cfb0699268validation statusoksubjectissuer subjectThe Bro Monitoring Platform11
Syslog & ALR8id.orig h12.3.8.161id.orig pid.resp hid.resp INFOsshd[13825]: Accepted publickey forharvest from xxx.xxx.xxx.xxxmessageThe Bro Monitoring Platform12
Syslog & ALR8id.orig h12.3.8.161id.orig pid.resp hid.resp INFOsshd[13825]: Accepted publickey forharvest from idCi3RM24iF4vIYRGHc3id.orig h10.129.5.11id.resp h10.129.5.1mac04:12:38:65:fa:68assigned ip10.129.5.11lease time14400.000000The Bro Monitoring Platform12
hPJP2tx hosts191.168.187.33rx hosts10.1.29.110conn ime n5.320822local origseen bytesT39508md593f7f5e7a2096927e06e[ ]1085bfcfbsha1daed94a5662a920041be[ ]a433e501646ef6a03extracted-The Bro Monitoring Platform13
100.2host p-software dows; 8; i32; en US; Trooper5694-2047-1832-6291-8315)unparsed versionThe Bro Monitoring Platform14
Help Understand Your NetworkTop File egapplication/pdfimage/gif image/pngcat files.log bro-cut mime type sort uniq -c sort -rnThe Bro Monitoring Platform15
Help Understand Your Network (2)Top Software by Number of ChromeMicrosoft-CryptoAPIcat software.log bro-cut host name sort uniq awk -F '\t' '{print 2}' sort uniq -c sort -rnThe Bro Monitoring Platform16
“What Can It Do?”Log FilesAlertsThe Bro Monitoring PlatformCustomLogic17
“What Can It Do?”Log FilesAlertsCustomLogic“Watch this!”Recorded in notice.log.Can trigger actions.The Bro Monitoring Platform17
Alerts in Bro 2.2CaptureLoss::Too Much LossConn::Ack Above HoleConn::Content GapConn::Retransmission InconsistencyDNS::External NameFTP::BruteforcingFTP::Site Exec SuccessHTTP::SQL Injection AttackerHTTP::SQL Injection VictimIntel::NoticePacketFilter::Dropped PacketsProtocolDetector::Protocol FoundProtocolDetector::Server FoundSMTP::Blocklist Blocked HostSMTP::Blocklist Error MessageSMTP::Suspicious OriginationSSH::Interesting Hostname LoginSSH::Login By Password GuesserSSH::Password GuessingSSH::Watched Country LoginSSL::Certificate ExpiredSSL::Certificate Expires SoonSSL::Certificate Not Valid YetSSL::Invalid Server CertScan::Address ScanScan::Port ScanSignatures::Count SignatureSignatures::Multiple Sig RespondersSignatures::Multiple SignaturesSignatures::Sensitive SignatureSoftware::Software Version ChangeSoftware::Vulnerable te::DetectedWeird::ActivityThe Bro Monitoring Platform18
Watching for Suspicious LoginsThe Bro Monitoring Platform19
Watching for Suspicious LoginsSSH::Watched Country LoginLogin from an unexpected country.The Bro Monitoring Platform19
Watching for Suspicious LoginsSSH::Watched Country LoginLogin from an unexpected country.SSH::Interesting Hostname LoginLogin from an unusual host name.smtp.supercomputer.eduThe Bro Monitoring Platform19
Intelligence Integration (Passive)EnterpriseNetworkInternetThe Bro Monitoring Platform20
Intelligence Integration fic MonitoringIP addressesDNS namesURLsFile hashesHTTP, FTP, SSL, SSH, FTP,DNS, SMTP, FeedsCIFJC3SpamhausCustom/ProprietaryThe Bro Monitoring Platform20
Intelligence Integration fic MonitoringIP addressesDNS namesURLsFile hashesFeedsCIFJC3SpamhausCustom/ProprietaryHTTP, FTP, SSL, SSH, FTP,DNS, SMTP, ts1258565309.806483uidCAK677xaOmi66X4Thid.orig h192.168.1.103id.resp mindicator typeIntel::DOMAINwheresourceHTTP::IN HOST HEADERMy-Private-Feednotice.logThe Bro Monitoring Platform20
Intelligence Integration (Passive)EnterpriseNetworkInternetConn::IN ORIGConn::IN RESPFiles::IN HASHFiles::IN NAMEDNS::IN REQUESTIP addressesDNS::IN RESPONSEDNS namesHTTP::IN HOST HEADERURLsHTTP::IN REFERRER HEADERFile hashesHTTP::IN USER AGENT HEADERHTTP::IN X FORWARDED FOR HEADERHTTP::IN URLSMTP::IN MAIL FROMSMTP::IN RCPT TOSMTP::IN FROMCIFSMTP::IN TOJC3SMTP::IN RECEIVED HEADERSpamhausSMTP::IN REPLY TOSMTP::IN X ORIGINATING IP HEADERCustom/ProprietarySMTP::IN MESSAGESSL::IN SERVER CERTSSL::IN CLIENT CERTSSL::IN SERVER NAMETheSMTP::IN HEADERIntelligenceFeedsTraffic MonitoringHTTP, FTP, SSL, SSH, FTP,DNS, SMTP, ts1258565309.806483uidCAK677xaOmi66X4Thid.orig h192.168.1.103id.resp mindicator typeIntel::DOMAINwheresourceHTTP::IN HOST HEADERMy-Private-Feednotice.logBro Monitoring Platform20
Intelligence Integration (Active)The Bro Monitoring Platform21
Intelligence Integration (Active)# cat files.log bro-cut mime type sha1 awk ' 1 dosexec0d801726d49377bfe989dcca7753a62549f1ddda[ ]The Bro Monitoring Platform21
Intelligence Integration (Active)# cat files.log bro-cut mime type sha1 awk ' 1 dosexec0d801726d49377bfe989dcca7753a62549f1ddda[ ]# dig short 733a48a9cb4[ ]2a91e8d00.malware.hash.cymru.com TXT"1221154281 53"The Bro Monitoring Platform21
Intelligence Integration (Active)# cat files.log bro-cut mime type sha1 awk ' 1 dosexec0d801726d49377bfe989dcca7753a62549f1ddda[ ]# dig short 733a48a9cb4[ ]2a91e8d00.malware.hash.cymru.com TXT"1221154281 4Thid.orig h10.2.55.3id.resp h192.168.34.12fuidFEGVbAgcArRQ49347mime ng3g.com/[ ]TeamCymruMalwareHashRegistry::Matchmsg2013-09-14 22:06:51 / 20%subhttps://www.virustotal.com/[ ]The Bro Monitoring PlatformTimestampConnection IDOriginator IPResponder IPFile IDMIME typeSource URL Bro sawNotice TypeMHR replyVirusTotal URL21
“What Can It Do?”Log FilesAlertsThe Bro Monitoring PlatformCustomLogic22
“What Can It Do?”Log FilesCustomLogicAlerts“Don’t ask what Bro can do.Ask what you want it to do.”The Bro Monitoring Platform22
Script Example: Matching URLsTask: Report all Web requests for files called “passwd”.The Bro Monitoring Platform23
Script Example: Matching URLsTask: Report all Web requests for files called “passwd”.event http request(c: connection,method: string,original URI: string,unescaped URI: string,version: string){if ( method "GET" && unescaped URINOTICE(.); # Alarm.}The Bro Monitoring Platform#####Connection.HTTP method.Requested URL.Decoded URL.HTTP version. /.*passwd/ )23
Script Example: Scan DetectorTask: Count failed connection attempts per source address.The Bro Monitoring Platform24
Script Example: Scan DetectorTask: Count failed connection attempts per source address.global attempts: table[addr] of count &default 0;event connection rejected(c: connection){local source c id orig h;# Get source address.local n attempts[source];# Increase counter.if ( n SOME THRESHOLD )NOTICE(.);# Check for threshold.# Alarm.}The Bro Monitoring Platform24
Scripts are Bro’s “Magic Ingredient”Bro comes with 10,000 lines of script code.Prewritten functionality that’s just loaded.Scripts generate everything we have seen.Amendable to extensive customization and extension.Growing community writing 3rd party scripts.Bro could report Mandiant’s APT1 indicators within a day.Same for HeartbleedThe Bro Monitoring Platform25
Bro EcosystemThe Bro Monitoring Platform26
Bro EcosystemTapInternetInternalNetworkBroThe Bro Monitoring Platform27
Bro tBroControlUser InterfaceThe Bro Monitoring Platform27
Bro EcosystemTapInternalNetworkInternetExternal ScriptsFunctionalityBroControlOutputBroControlUser InterfaceThe Bro Monitoring Platform27
Bro EcosystemTapInternalNetworkInternetExternal ScriptsFunctionalityBroControlEventsStateOther BrosOutputBroControlUser InterfaceThe Bro Monitoring Platform27
Bro EcosystemTapInternalNetworkInternetExternal ScriptsFunctionalityBroControlEventsStateOther BrosOutputEventsBro Client Communication LibraryBroControlBroccoliUser InterfaceThe Bro Monitoring Platform27
Bro EcosystemTapInternalNetworkInternetExternal ScriptsFunctionalityBroControlEventsStateOther BrosOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)27
Bro xternal ScriptsFunctionalityBroControlEventsStateOther BrosOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)27
Bro EcosystemTime External ScriptsFunctionalityBroControlEventsStateOther BrosOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)27
Bro EcosystemTime External ScriptsFunctionalityBroControlEventsStateOther BrosOutputEventsbro-auxBinPACBro Client Communication roccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)27
Bro EcosystemTime MachineBro ar.gzNetworkControlExternal ScriptsFunctionalityBroControlEventsStateOther BrosOutputEventsbro-auxBinPACBro Client Communication roccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)27
Bro Cluster EcosystemTapInternalNetworkInternetExternal ScriptsFunctionalityBroControlEventsStateExternal BroOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)28
Bro Cluster EcosystemTapInternalNetworkInternetExternal ScriptsFunctionalityBroControlEventsStateExternal BroOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)28
Bro Cluster ernal ScriptsFunctionalityBroControlEventsStateExternal BroOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)28
Bro Cluster ketsExternal ateExternal BroOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUser InterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)28
Bro Cluster ketsExternal utEventsBroStateExternal BroOutputEventsBro Client Communication LibraryBroControlBroccoli PythonBroccoliUserUserInterfaceInterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)28
Bro Cluster ketsExternal l BroOutputEvents“Manager”Bro Client Communication LibraryBroControlBroccoli PythonBroccoliUserUserInterfaceInterfaceThe Bro Monitoring PlatformBroccoli Ruby(Broccoli Perl)28
Installing BroHere: We’ll use ISLET.Comes with everything preinstalled.Normally: Follow instructions on bro.org.http://www.bro.org/sphinx/installBuilding from source is pretty straight-forward: yum install cmake flex bison swig libpcap-devel [ ] wget z tar xzvf bro-2.2.tar.gz cd bro ./configure -—prefix /usr/local && make && make installThe Bro Monitoring Platform29
Configuring BroIn many cases, just two files to edit. prefix /etc/node.cfg# If you have a small network and only one interface to monitor,# this will do it. We’ll talk about cluster mode later.[bro]type standalonehost localhostinterface eth0 prefix /etc/networks.cfg# List of local networks in CIDR notation, optionally followed by a# descriptive tag.# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.10.0.0.0/8192.168.0.0/16Private IP spacePrivate IP space(There’s also prefix /etc/broctl.cfg with more options you can tweak.)The Bro Monitoring Platform30
Using BroControlUse “broctl” to start & stop.# broctl install# broctl startstarting bro .# broctl statusNameTypeHostbrostandalone localhost# ls prefix /logs/current/conn.log http.log [ ]StatusrunningPid16737Started15 May 15:57:35Reinstall after changing Bro’s configuration.# broctl checkbro is ok# broctl install# broctl restartThe Bro Monitoring Platform31
Using Bro from the Command LineWe’ll use the Bro binary directly.# bro -r trace.pcap# ls *.logconn.log http.log [ ]“bro-cut” is a handy tool to work with logs.# cat http.log bro-cut -d ts id.orig h host2009-11-21T02:19:34-0800 192.168.1.105 download.windowsupdate.com2009-11-21T02:19:37-0800 192.168.1.105 www.update.microsoft.com[ ]Generally, use your standard Unix tools.grep, awk, head/tail, sed, etc.The Bro Monitoring Platform32
So much more The Bro Monitoring Platform33
Bro is a PlatformIntrusionDetectionVulnerabilit.MgmtFile MonitoringThere’s much more we can talk about Host-level integrationData import and exportAutomatic ReactionMonitoring Internal NetworksMeasurementsSDN integrationIndustrial Control SystemsEmbedded DevicesCurrent ResearchMore File AnalysisMore ProtocolsMore File Analysis100Gb/s NetworksEnterprise ProtocolsSummary StatisticsScience DMZsICSL SSL NotaryCluster DeploymentThe Bro Monitoring Platform34
Using ISLET & Try.Bro ISLET Server Full Linux environment ssh demo@54.149.11.154is “CTSC” Password Then create your own account exercises are in /exercisesTry.Bro Point web browser to try.bro.orgGood for playing with language, seeing logsThe Bro Monitoring Platform35
The U.S. National Science Foundation has enabled much of our work.Bro is coming out of almost two decades ofacademic research, along with extensive transition topractice efforts. NSF has supported much of that, andis currently funding a Bro Center of Expertise at theInternational Computer Science Institute and theNational Center for Supercomputing Applications.The Bro Projectwww.bro.orginfo@bro.org@Bro IDSCommercial Supportwww.broala.cominfo@broala.com@Broala36
NetControlJohanna Amannjohanna@icir.org
NetControlPush rules to networking hard and softwareBased on traffic observed by BroSimple to use but flexible API
Uses for NetControlTraffic ShuntingBlock attacks at network boundaryRedirecting high traffic flows to different interfacesQuarantine hosts
Uses for NetControlTraffic ShuntingBlock attacks at network boundaryRedirecting high traffic flows to different interfacesQuarantine hosts
Uses for NetControlTraffic ShuntingBlock attacks at network boundaryRedirecting high traffic flows to different interfacesQuarantine hosts
ArchitectureNetwork TrafficBroNetControl FrameworkBackendsBackend 1BroEvent EngineHigh level calls orlow-level TimeoutDevicecommunicationSwitchBackend 2SwitchBackend 3RouterBackend 4Firewall
ArchitectureCurrent BackendsNetwork TrafficBroNetControl ndBackendline applicationsBroEvent Engine AcldBackend 2High level calls orBro Packet Filterlow-level TimeoutSwitchSwitchBackend 3RouterBackend 4Firewall
Bro PacketFilter
High level APIdrop connection (connection, timeout)drop address (host, timeout)drop address catch release (host)shunt flow (flow, timeout)quarantine (infected host, dns host, q. server, timeout)whitelist (prefix, timeout)
API Examplesevent GridFTP::data channel detected(c: connection) {NetControl::shunt flow([ src h c id orig h, src p c id orig p, dst h c id resp h, resp p c id resp p],1hr);}event log notice(n: Notice::Info) {if ( n note Address Scan n note Port Scan )NetControl::drop address(n src, 10min);}
What do Rules look wLocation
ExampleRule(Type Drop, Entity Flow([5-tuple]), Target Monitor)function shunt flow(f: flow id, t: interval) : string {local flow Flow( src h addr to subnet(f src h), src p f src p, dst h addr to subnet(f dst h), dst p f dst p);local e: Entity [ ty FLOW, flow flow];local r: Rule [ ty DROP, target MONITOR, entity e, expire t];return add rule(r);}
Choosing BackendsNetwork TrafficBroNetControl FrameworkBackendsBackend 1BroEvent Engi
NetFlow Bro Lite Deprecated v1.0 BinPAC IRC/RPC analyzers 64-bit support Sane version numbers v0.4 HTTP analysis Scan detector IP fragments Linux support v0.7a175/.8aX Signatures SMTP IPv6 support User manual v0.7a48 Consistent CHANGES v1.3 Ctor expressions GeoIP Conn Compressor 0.8a37 Communication Persistence Namespaces Log Rotation LBNL .