Introduction to Bro-IDS. Seth Hall The Ohio State University

Transcription

1 Introduction to Bro-IDS Seth Hall The Ohio State University

2 Concepts Fundamentally, Bro provides a real-time network analysis framework. Not necessarily aiming to create an IDS turns out to be quite a useful goal. Emphasis on: Application level semantics Tracking information over time and across sessions. Emphasis not placed on signatures! Signatures are supported however!

3 Architecture Network Network Packets are captured using libpcap.

4 Architecture Network Events from Core Events from Core Protocol analyzers raise policyneutral events. Some example events include: connection_attempted connection_established http_request, http_reply dns_request, smtp_data

5 Architecture Network Events from Core Script Policy Script Interpreter Events are handled by policy scripts which could use context from previous events and save state for later use in other event handlers. Analysts using Bro will mostly work at this layer. Interpreter

6 Programming Your Analysis Bro has it s own full programming language. Domain specific language geared toward temporal data analysis since network traffic is inherently based in time. Event based programming. Most analysis is done by handling events passed up from the core. Variable refinement attributes to automatically expire state over time.

7 Event Handling Examples Log all detected local services. If using DPD, indicate detected protocol.

8 Event Handling Examples Log all DNS requests and indicate if a request is in a list of bad domains.

9 Noteworthy Features Dynamic protocol detection (DPD) for detecting protocols on any port. Bro Communications Protocol Bro instances or other applications can send and receive events and state from each other. C library named Broccoli for instrumenting other applications to speak the Bro protocol with bindings available for Python, Ruby, and Perl. Supports use of: libmagic, GeoIP, and p0f BroControl and the cluster! (in upcoming 1.5 release)

10 Noteworthy Features, cont. Resilience in the presence of flooding via the connection compressor. Interactive policy script debugger (similar to gdb). IPv6 Policy script addr type supports v4 and v6 addresses if IPv6 support is compiled in with --enable-brov6. Time Machine Bulk packet record with configurable per-connection recording cutoff and it supports the Bro communications protocol.

11 Running with BroControl BroControl gives a much improved user interface to working with a production Bro installation. Runtime updates for updating sets and tables of data. For example, a list of bad URLs. No restart required. Will be included in the 1.5 release that should be released soon.

12 Use Case HTTP

13 HTTP HTTP is a big protocol for us as it is for most people. Last measurement I did showed approximately 60% of our packets are over port 80. It should average out to ~950Mbps of port 80 traffic at peak.

14 Large scale HTTP analysis That s a terrifying number when you re doing libmagic on every HTTP transfer! (Yes, we do) The Bro Cluster enables us to do that by letting us use a lot of relatively inexpensive machines for our analysis. No special hardware. All off the shelf.

15 MD5 Sums on the Fly Did libmagic indicate a Windows executable? Then calculate the MD5 sum as the file is transferred. Check with Team Cymru s Malware Hash Registry to see if they think this file is malware. All done within Bro at analysis time; no hacky external scripts.

16 Protocol Logging We generate HTTP request logs for all of our local web servers (on any port with DPD). Nearly 3000 servers. Contains: timestamp, connection 4- tuple, method, URL, referrer URL, user agent, and proxy added headers. Easy to parse tab separated format. We do this for other protocols as well. E.g. SMTP, FTP, DNS.

17 External Intelligence We use collected intelligence from open and closed sources to identify suspicious activity and compromised hosts. Malwaredomainlist.com, zeustracker.abuse.ch, Spamhaus, etc... We use this to modify our logging policy too (only inbound requests are logged by default).

18 SQL Injection Attacks We had a data breach a few years ago due to a poorly written web application connected to a database with more data than it should have had. Obvious answer? Detect SQL injection attacks with Bro.

19 SQL Injection Attacks, cont. Regular expression does the initial job identifying potential SQL injections. Policy script watches for too many potential SQL injections against a site and triggers an SQL injection attack protection mode once a threshold has been crossed. Reaction could be to block any attacking hosts.

20 Feeding IDS Results Back Into Other Processes We used the detected SQL injection attacks to determine what sites we would target for penetration testing. Attackers would tend to find a site with an SQL injection problem and then revisit it a couple of week later, but the problem would be fixed by then.

21 Resources Bro: Bro Ticket Tracker: My scripts: