Bro: A System for Detecting Network Intruders in Real-Time

1. Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA “A stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder’s traffic transits.”

2. Outline • Introduction • What is an attack? • Ways of detecting an attack. • Structure of Bro • Event driving • Policy script • Example usage of Bro to detect network intruder in real time.

3. What is an attack? • “With growing Internet connectivity comes growing opportunities for attackers to illicitly access computers over the network.” Such as: use telnet to connect to Unix server, guess administrators password,when succeed,do what they want. • How to detect an attack? - Examine information gathered by host at a later time. (Maybe after attack happens.) • A stand-alone system by observing network link traffic directly,using a packet filter.(Like the Bro does.)

4. What is Bro ? “High-speed,large volume monitoring” Bro tracks an FDDI network link with a speed of 100Mbps. “Real-time notification” Bro has a layered structure to ensure that packet filter,event generating,event tackling locate at different level.Each layer only process limited information.Bro reacts quickly at an attack. “Extensible” Bro implemented with C++,any new attack knowledge can be easily added. “The monitor will be attacked” Bro monitor network traffic,attacker will try to evade Bro.

5. Structure of the Bro system Real-time notification Record to disk Policy script Policy Script Interpreter Event control Event stream Event Engine Tcpdump filter Filtered packet stream libpcap Packet stream Network

6. Structure of the Bro system • Packet Filter(libpcap) • Bro use packet filter to extract specified packet out of network traffic, send to its upper layer (Event engine) for further analyse. • Event Engine • First it will do an integrity check to assure that the packet headers are well formed.If it fails,then Bro generates an event. • Further on, it will do TCP or UDP header check,like the SYN/FIN/RST control flags.

7. Structure of the system • Policy Script Bro designed its own language to specify which host,which service to listen to,an interpreter program will explain it and indicate if an attack happen or issue a command to throw a packet. For example: Const allowed_services={[ftp.lbl.gov,ftp],[ftp.lbl.gov,20/tcp],…} If ([H,S] in allowed_services) …it’s ok…

8. Attacks on the monitor “Subterfuge attack” In order to intrude an host,if a Bro stand by,the attacker will first try to defeat Bro. For example: An attacker as a FTP client may send a login name as User nice\0User root Bro will extract the whole message,instead only “user nice\0” part. “Another way is to launch the packet with an IP “Time to Live”(TTL) field sufficient to carry the packet past the monitoring point,but insufficient to carry it all the way to the endpoint.” See the following graph:

9. A TTL-based evasion attack ttl=20 user victim user root ttl=12 nice Attacker ttl=20 root user = ? Monitor “Another way is to launch the packet with an IP “Time to Live”(TTL) field sufficient to carry the packet past the monitoring point,but insufficient to carry it all the way to the endpoint.”

10. Conclusion • “Bro can track six internet applications: Finger,FTP, Portmapper, Ident,Telnet and Rlogin. ” • “A number of commercial products exist that do what Bro does.” Question: Can Bro survive a Internet Worm intrusion?