WIXLIB

Bro: The Network Defense FrameworkComprehensive Visibility & Defense forEvery Corner of Your NetworkRobin SommerInternational Computer Science Institute, &Broala, www.icir.org/robin

OutlineArchitecture, deployment, history.Visibility, detection, customization.Scaling & enterprise deploymentBro: The Network Defense Framework2

“What Is Bro?”Packet CaptureTraffic InspectionAttack DetectionNetFlowLog RecordingsyslogFlexibilityAbstractionData StructuresBro: The Network Defense Framework3

Typical DeploymentInternet1/10GBorder gateway1/10GBroLANBro: The Network Defense Framework4

urementProgramming LanguageOpen-sourceBSD LicenseTraffic ControlComplianceMonitoringStandard LibraryPacket ProcessingNetworkBro: The Network Defense Framework5

“Who’s Using It?”Installations across the CountryUniversities & research LabsMost DOE National LabsSupercomputing centersGovernment organizationsFortune 20 enterprisesBroCon 2015, MITUpdateCommunity50/90/150/180 attendees at BroCon ’12/’13/’14/‘15110 organizations at BroCon ‘155,000 Twitter followers1,000 mailing list subscribers100 users average on IRC channel1,400 stars on GitHubDirect downloads from 150 countriesFully integrated into Security OnionPopular security-oriented Linux distributionBro: The Network Defense Framework6

Bro HistoryHost ContextTime MachineEnterprise TrafficAcademicPublicationsTRWState Mgmt.Independ. StateUSENIX Paper1995 1996 1997LBNL startsusing BrooperationallyBackdoorsStepping Stones1998 1999 2000Vernv0.2writes1stCHANGES1st lineentryof codeAnonymizerActive MappingContext Signat.v0.6RegExpsLogin analysis2001 20022003 2004v0.7a90ProfilingState Mgmtv0.4HTTP analysisScan detectorIP fragmentsLinux supportv0.7a48ConsistentCHANGESBro ClusterShuntParallel PrototypeBinPACDPD2nd Path2005 20060.8a37CommunicationPersistenceNamespacesLog RotationSSL TrustRelationships2007 2008 20092010v1.5BroControlv1.1/v1.2whenStmtSTABLE releasesResource tuningBroLiteBroccoliDPDv1.0BinPACIRC/RPC analyzers64-bit supportSane version numbersInput aXSignaturesSMTPIPv6 supportUser manualSummary StatsHILTIDPI ConcurrencyPLC Modelingv1.4DHCP/BitTorrentHTTP entitiesNetFlowBro Lite Deprecated2011 2012 2013 2014 2015 2016v2.2FileAnalysisv2.0User Experience Summary StatsBro SDCINetControlVASTTor Trafficv2.1IPv6Input NMP,Radius, SSL Bro Centerv1.3Ctor expressionsGeoIPConn CompressorBro: The Network Defense Framework7

“What Can It Do?”VisibilityAlertsCustomLogic“Network ground truth”Bro: The Network Defense Framework8

Bro’s Log FilesRich, structured, real-time metadata streamsfor incident response & forensics.NetworkMetadataRawTrafficBroEnterprise Analytics(e.g., Splunk, Kafka, Hadoop)Bro: The Network Defense Framework9

Connection 2YRTsWjYbZcUnique IDid.orig h2004:b9e5:6596:9876:[ ]Originator IPid.orig pid.resp hid.resp pOriginator Port59258Responder IP2b02:178:2fde:bff:[ ]Responder Port80prototcpIP ProtocolservicehttpApp-layer Protocolduration2.105488Durationorig bytes416Bytes by Originatorresp bytes858Bytes by Responderconn stateSFTCP statelocal origFLocal Originator?missed bytesGaps0historyShADafFState Historytunnel parentsCneap78AnVWoA1ymlOuter Tunnel ConnectionBro: The Network Defense Framework10

lid.orig h2a07:f2c0:90:402:41e:c13:6cb:99cid.orig p54352id.resp h2406:fe60:f47::aaeb:98cid.resp /soapservices/services/SessionStartreferrer-user agentMozilla/4.0 (Windows; U) Pando/2.6.0.8status code200usernameanonymouspassword-orig mime typesapplication/xmlresp mime typesapplication/xmlBro: The Network Defense Framework11

Understand Your Network (1)Top HTTP servers by IP addresses vs host mwww.google-analytics.comwww.google.comBro: The Network Defense Framework12

id.orig h2a07:f2c0:90:402:41e:c13:6cb:99cid.orig p40475id.resp h2406:fe60:f47::aaeb:98cid.resp p443versionTLSv10cipherTLS DHE RSA WITH AES 256 CBC SHAserver namenot valid beforewww.netflix.comCN www.netflix.com,OU Operations,O Netflix, Inc.,L Los Gatos,ST CALIFORNIA,C USCN VeriSign Class 3 Secure Server CA,OU VeriSign Trust Network,O VeriSign, C US1389859200.000000not valid after1452931199.000000client subject-client issuer subject-cert hash197cab7c6c92a0b9ac5f37cfb0699268validation statusoksubjectissuer subjectBro: The Network Defense Framework13

Internal IYRGHc3id.orig h10.129.5.11id.resp h10.129.5.1mac04:12:38:65:fa:68assigned ip10.129.5.11lease 3RM24iF4vIYRGHc3id.orig h10.129.5.11id.resp 1:11:cdremote ip-resultsuccessBro: The Network Defense Framework14

Bro’s Protocol AnalyzersAYIYABitTorrentDCE P3PortmapperRadiusRDPBro: The Network Defense etTeredoX509ZIP15

100.2host p-software dows; 8; i32; en US; Trooper5694-2047-1832-6291-8315)unparsed versionBro: The Network Defense Framework16

Understand Your Network (2)Top Software by Number of ChromeMicrosoft-CryptoAPIBro: The Network Defense Framework17

hPJP2tx hosts191.168.187.33rx hosts10.1.29.110conn ime n5.320822local origseen bytesT39508md593f7f5e7a2096927e06e[ ]1085bfcfbsha1daed94a5662a920041be[ ]a433e501646ef6a03Bro: The Network Defense Framework18

Understand Your Network (3)Top File egimage/gif image/pngBro: The Network Defense Framework19

Volume of Logs & FilesLog entries on a typical weekday in MayLawrence Berkeley National g5.4Mfiles.log33MExtracted files (*)96K(*) Includes office docs, executables, PDFs.About 5,000 users & 15,000 hosts.Bro: The Network Defense Framework20

Bro’s Log FilesRich, structured, real-time metadata streamsfor incident response & forensics.NetworkMetadataRawTrafficBroEnterprise Analytics(e.g., Splunk, Kafka, Hadoop)Common use cases: Forensics, hunting, profilingBro: The Network Defense Framework21

“What Can It Do?”VisibilityAlertsCustomLogic“Watch this!”“Network Ground Truth”Record & trigger actionsBro: The Network Defense Framework22

Watching for Suspicious LoginsSSH::Watched Country LoginLogin from an unexpected country.SSH::Interesting Hostname LoginLogin from an unusual host name.smtp.supercomputer.eduBro: The Network Defense Framework23

Intelligence affic MonitoringIP addressesDNS namesURLsFile hashesHTTP, FTP, SSL, SSH, FTP,DNS, SMTP, 806483uidCAK677xaOmi66X4Thid.orig h192.168.1.103id.resp h192.168.1.1indicatorbaddomain.comindicator typeIntel::DOMAINwheresourceHTTP::IN HOST HEADERMy-Private-Feednotice.logBro: The Network Defense Framework24

Intelligence Integration (Active)# cat files.log bro-cut mime type sha1 awk ' 1 dosexec0d801726d49377bfe989dcca7753a62549f1ddda[ ]# dig short 733a48a9cb4[ ]2a91e8d00.malware.hash.cymru.com TXT"1221154281 45xaOmiIo4ThConnection IDid.orig h10.2.55.3Originator IPid.resp h192.168.34.12Responder IPfuidFEGVbAgcArRQ49347File IDmime typeapplication/jarMIME typehttp://app.looking3g.com/[ ]Source URL Bro ry::Match2013-09-14 22:06:51 / 20%https://www.virustotal.com/[ ]Bro: The Network Defense FrameworkNotice TypeMHR replyVirusTotal URL25

“What Can It Do?”VisibilityAlertsCustomLogic“Watch this!” “Don’t ask what Bro can do.Ask what you want it to do.”Record & trigger actionsBro: The Network Defense Framework26

Script Example: Matching URLsTask: Report all Web requests for files called “passwd”.event http request(c: connection,method: string,original URI: string,unescaped URI: string,version: string){if ( method "GET" && unescaped URI#####Connection.HTTP method.Requested URL.Decoded URL.HTTP version. /.*passwd/ )NOTICE(.); # Alarm.}Bro: The Network Defense Framework27

Script Example: Scan DetectorTask: Count failed connection attempts per source address.global attempts: table[addr] of count &default 0;event connection rejected(c: connection){local source c id orig h;# Get source address.local n attempts[source];# Increase counter.if ( n SOME THRESHOLD )NOTICE(.);# Check for threshold.# Alarm.}Bro: The Network Defense Framework28

Scripts are Bro’s “Magic Ingredient”Bro comes with 10,000 lines of script code.Prewritten functionality that’s just loaded.Scripts generate everything you have seen.Amendable to extensive customization and extension.Growing community writing 3rd party scripts.Mozilla open-sourced 50 Bro scripts on GitHub.We are developing a community repository.Like CPAN/PyPI for Bro scripts and plugins, funded by Mozilla.Bro: The Network Defense Framework29

“What Can It Do?”Log FilesAlertsCustomLogicBro: The Network Defense Framework30

Internet1/10GDeploying Bro at ScaleBorder GatewayBroBro1/10GNICLogs & AlertsBroBroBroBro SystemBroLANBro: The Network Defense Framework31

Internet100GDeploying Bro at ScaleBorder GatewayLoad-balancer100G10G10G10GNICNIC10GLogs & BroBroBroNICBroBroNodeBroBroBroBroBroNodeBro ClusterBro: The Network Defense Framework32

Monitoring Enterprise EnvironmentsEnterpriseNetworkBro’s open-sourceroadmap is full offunctionality tosupport all of this.From perimeter to internal.From standalone to coordinated.From passive to active.EnterpriseNetworkBro: The Network Defense Framework33

A Tale of Two UsersScience & Higher EducationEnterprises & GovernmentsHappy to experiment.Used to open-source software.Driven by skilled individuals.Limited funding.Used to purchasing solutions.Require reliable point of contact.Avoid dependence on individuals.More flexible budgets.Bro Center of ExpertiseBro: The Network Defense Framework34

Enterprise-grade Bro solutions, from the creators of Bro.Commercial Bro support plans.Fully-supported, turn-key Bro appliances.Bro logs and file extractionExport data to Kafka, Splunk, Syslog, SFTPEngineered for easy of use; setup 10 minsAggressively tuned for performance & stabilityCustom 4x10G FPGA NICBroBox OneVisibility, made elegantly simple.Zero maintenance, ready for the futureSoon: Comprehensive APIBro: The Network Defense Framework35

Advantage: IntegrationWith BroBox One we are controlling the full stack.BroBroNICBroBroBroBro System1 yearWe can take integration much further,while maintaining the open-source spirit.Bro: The Network Defense Framework36

Broala’s RoadmapBroala is building a turn-key solution to operate Bro at scale.Range of BroBox ModelsCentral Fleet ManagementBackendCaliforniaActive rolBroBoxMonitorBroBoxBroBoxFacilityBackbone, data center,offices, factory floor, FacilityBroBoxBroBoxBroBoxBroBoxFacilityGlobal aggregation, correlation, & managementacross 100s of locations.Bro: The Network Defense FrameworkWANDynamic firewall.37

Join the Bro CommunityBroala is just one of many companies leveraging Bro.Joint goal: A sustainable long-term open-source model.Software Freedom ConservancyFiscal sponsor & neutral 3rd party.Bro Leadership TeamSteering Committee including community members.Bro Future FundPrecious metal sponsorships.Bro: The Network Defense Framework38

Bro: Open-source Network MonitoringVersatileSupports intrusion detection, forensics, vulnerability management, fileanalysis, traffic measurement, and more.EfficientScales to needs of large networks horizontally and vertically.Widely adoptedUsed by enterprises, cloud providers, universities, financial institutions,government agencies, household brands, national labs, data centers.FlexibleCustomizable & integrates with major enterprise analytics tools.Out-of-band solutionPassive analysis without performance penalties on production traffic.Open-sourceVery permissive BSD license.Commercially supportedBroala offers professional Bro solutions by the creators of the system.Bro: The Network Defense Framework39