Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
bro-CN99

bro-CN99

Ratings: (0)|Views: 53|Likes:
Published by manjunathbhatt
Intrusion detection system
Intrusion detection system

More info:

Published by: manjunathbhatt on Nov 23, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

12/26/2011

pdf

text

original

 
Bro: A System for Detecting Network Intruders in Real-Time
Vern PaxsonLawrence Berkeley National Laboratory, Berkeley, CAandAT&T Center for Internet Research at ICSI, Berkeley, CAvern@aciri.org
Abstract
We describe Bro, a stand-alone system for detecting net-work intruders in real-time by passively monitoring a net-work link over which the intruder's traf 
c transits. We givean overview of the system's design, which emphasizes high-speed (FDDI-rate) monitoring, real-time noti
cation, clearseparation between mechanism and policy, and extensibility.To achieve these ends, Bro is divided into an “event engine”that reduces a kernel-
lterednetworktraf 
c stream into a se-ries of higher-level events, and a “policy script interpreter”that interprets event handlers written in a specialized lan-guage used to express a site's security policy. Event handlerscan update state information, synthesize new events, recordinformation to disk, and generate real-time noti
cations via
syslog
. We also discuss a number of attacks that attemptto subvert passive monitoring systems and defenses againstthese, and give particulars of how Bro analyzes the six ap-plications integrated into it so far: Finger, FTP, Portmapper,Ident, Telnet and Rlogin. The system is publicly available insource code form.
1 Introduction
With growing Internet connectivity comes growing oppor-tunities for attackers to illicitly access computers over thenetwork. The problem of detecting such attacks is termed
network intrusion detection
, a relatively new area of securityresearch [MHL94]. We can divide these systems into twotypes, those that rely on audit information gathered by thehosts in the network they are trying to protect, and those thatoperate “stand-alone” by observing network traf 
c directly,and passively, using a packet
lter. There is also increasinginterest in building hybrid systems that combine these twoapproaches [Ax99].
This paper appears in
Computer Networks
, 31(23–24), pp. 2435–2463,14 Dec. 1999. This work was supported by the Director, Of 
ce of EnergyResearch, Of 
ce of Computational and Technology Research, Mathemati-cal, Information, and Computational Sciences Division of the United StatesDepartment of Energy under Contract No. DE-AC03-76SF00098. An ear-lier version of this paper appeared in the Proceedings of the 7th USENIXSecurity Symposium, San Antonio, TX, January 1998.
In this paper we focus on the problem of building stand-alonesystems, whichwewill term“monitors.” Thoughmon-itors necessarily face the dif 
culties of more limited infor-mation than systems with access to audit trails, monitorsalso gain the major bene
t that they can be added to a net-work without requiring any changes to the hosts. For ourpurposes—monitoring a collection of several thousand het-erogeneous, diversely-administeredhosts—this advantage isimmense.Our monitoring system is called Bro (an Orwellian re-minder that monitoring comes hand in hand with the po-tential for privacy violations). A number of commer-cial products exist that do what Bro does, generally withmuch more sophisticated interfaces and management soft-ware [In99, To99, Ci99], and larger “attack signature” li-braries. To our knowledge, however, there are no detailedaccounts in the network security literature of how monitorscan be built. Furthermore, monitors can be susceptible to anumber of attacks aimed at subverting the monitoring; webelieve the attacks we discuss here have not been previouslydescribed in the literature. Thus, the contribution of this pa-per is not at heart a novel idea (though we believed it novelwhen we undertook the project, in 1995), but rather a de-tailed overview of some experiences with building such asystem.PriortodevelopingBro, wehadsigni
cantoperationalex-perience with a simpler system based on off-line analysis of 
tcpdump
[JLM89] trace
les. Out of this experience weformulated a number of design goals and requirements:
High-speed, large volume monitoring
For our environ-ment, we view the greatest source of threats as externalhosts connecting to our hosts over the Internet. Sincethe network we want to protect has a single link con-necting it to the remainder of the Internet (a “DMZ”),we can economically monitor our greatest potentialsource of attacks by passively watching the DMZ link.
Or at least appear, according to their product literature, to do the samethings—we do not have direct experience with any of these products.A somewhat different sort of product, the “Network Flight Recorder,” isdescribed in [RLSSLW97], though it is now increasingly used for intrusiondetection [Ne99].
1
 
However, the link is an FDDI ring, so to monitor it re-quires a system that can capture traf 
c at speeds of upto 100 Mbps.
No packet
lter drops
If an application using a packet
l-ter cannot consume packets as quickly as they arrive onthe monitored link, then the
lter will buffer the pack-ets for later consumption. However, eventually the
l-ter will run out of buffer, at which point it
drops
anyfurther packets that arrive. From a security monitor-ing perspective, drops can completely defeat the mon-itoring, since the missing packets might contain ex-actly the interesting traf 
c that identi
es a network in-truder. Given our
rst design requirement—high-speedmonitoring—then avoiding packet
lter drops becomesanother strong requirement.It is sometimes tempting to dismiss a problem such aspacket
lter drops with an argument that it is unlikelya traf 
c spike will occur at the same time as an attackhappens to be underway. This argument, however, iscompletely undermined if we assume that an attackermight, in parallel with a break-in attempt,
attack themonitor itself 
(see below).
Real-time noti
cation
One of our main dissatisfactionswith our initial off-line system was the lengthy delayincurred before detecting an attack. If an attack, oran attempted attack, is detected quickly, then it can bemuch easier to trace back the attacker (for example, bytelephoning the site from which they are coming), min-imize damage, prevent further break-ins, and initiatefull recording of all of the attacker's network activity.Therefore, one of our requirements for Bro was that itdetect attacks in real-time. This is not to discount theenormous utility of keeping extensive, permanent logsof network activity for later analysis. Invariably, whenwe have suffered a break-in, we turn to these logs forretrospective damage assessment, sometimes searchingback a number of months.
Mechanism separate from policy
Sound software designoften stresses constructing a clear separation betweenmechanism and policy; done properly, this buys bothsimplicity and
exibility. The problems faced by oursystem particularlybene
t from separating the two: be-cause we have a fairly high volume of traf 
c to dealwith, we need to be able to easily trade-off at differ-ent times how we
lter, inspect and respond to differenttypesof traf 
c. Ifwe hardwiredtheseresponsesinto thesystem, then these changes would be cumbersome (anderror-prone) to make.
Extensible
Because there are an enormous number of dif-ferent network attacks, with who knows how manywaiting to be discovered, the system clearly must bedesigned in order to make it easy to add to it knowledgeof new types of attacks. In addition, while our systemis a research project, it is at the same time a productionsystem that plays a signi
cant role in our daily secu-rity operations. Consequently, we need to be able toupgrade it in small, easily debugged increments.
Avoid simple mistakes
Of course, we always want to avoidmistakes. However, here we mean that we particularlydesire that the way that a site de
nes its security pol-icy be both clear and as error-free as possible. (For ex-ample, we would not consider expressing the policy inC code as meeting these goals.)
The monitor will be attacked
We must assume that attack-ers will (eventually) have full knowledge of the tech-niques used by the monitor, and access to its sourcecode, and will use this knowledge in attempts to sub-vert or overwhelm the monitor so that it fails to detectthe attacker's break-inactivity. This assumption signi
-cantlycomplicatesthe designof the monitor;but failingto address it is to build a house of cards.We do, however, allow one further assumption, namelythat
the monitor will only be attacked from one end 
.That is, given a network connection between hostsand , we assume that at most one of or has beencompromised and might try to attack the monitor, butnot both. This assumption greatly aids in dealing withthe problem of attacks on the monitor, since it meansthat
we can trust one of the endpoints
(though we donot know which).In addition, we note that this second assumption costsus virtuallynothing. If, indeed,both and havebeencompromised, then the attacker can establish intricatecovert channels between the two. These can be immea-surably hard to detect, depending on how devious thechannel is; that our system fails to do so only means wegive up on something extremely dif 
cult anyway.A
nal important point concerns the broader context forour monitoring system. Our site is engaged in basic, unclas-si
ed research. The consequences of a break-in are usuallylimited to (potentially signi
cant) expenditure in lost timeand re-securing the compromised machines, and perhaps atarnished public image depending on the subsequent actionsof the attackers. Thus, while we very much aim to minimizebreak-in activity, we do not try to achieve “airtight” security.We instead emphasizemonitoringoverblockingwhen possi-ble. Obviously, other sites may have quite different securitypriorities, which we do not claim to address.In the remainder of this paper we discuss how the designof Bro attempts to meet these goals and constraints. First, in2 we givean overviewof the structure of the whole system.3 presents the specialized
Bro
language used to express asite's security policy. We turn in 4 to the details of how thesystem is currently implemented. 5 discusses attacks onthe monitoring system. 6 looks at the specialized analysis2
 
Network
Event streamRecord to diskReal-time notificationFiltered packet stream
Event Engine
Policy scriptEvent controlTcpdump filterPacket stream
Policy Script Interpreter
libpcap
Figure 1: Structure of the Bro systemBro does forsix Internetapplications: FTP, Finger, Portmap-per, Ident, Telnet and Rlogin. 7 gives the status of the im-plementation and our experiences with it, including a brief assessment of its performance. 8 offers some thoughts onfuture directions. Finally, an Appendix illustrates how thedifferent elements of the system come together for monitor-ing Finger traf 
c.
2 Structure of the system
Bro is conceptually divided into an “event engine” that re-ducesastreamof(
ltered)packetstoastreamofhigher-levelnetwork events, and an interpreter for a specialized languagethat is used to express a site's security policy. More gener-ally, the system is structured in layers, as shown in Figure 1.The lower-most layers process the greatest volume of data,and hence must limit the work performed to a minimum. Aswe go higher up through the layers, the data stream dimin-ishes, allowing for more processing per data item. This ba-sic design re
ects the need to conserve processing as muchas possible, in order to meet the goals of monitoring high-speed, large volume traf 
c
ows without dropping packets.
2.1
libpcap
From the perspective of the rest of the system, just above thenetwork itself is
libpcap
[MLJ94], the packet-capture li-brary used by
tcpdump
[JLM89]. Using
libpcap
gainssigni
cant advantages: it isolates Bro from details of thenetwork link technology (Ethernet, FDDI, SLIP, etc.); itgreatly aids in porting Bro to different Unix variants (whichalso makes it easier to upgrade to faster hardware as it be-comes available); and it means that Bro can also operateon
tcpdump
save
les, making off-line development andanalysis easy.Another major advantage of 
libpcap
is that if the hostoperating system provides a suf 
ciently powerful kernelpacket
lter, such as BPF [MJ93], then
libpcap
down-loads the
lter used to reducethe traf 
c into the kernel. Con-sequently, rather than having to haul every packet up to user-level merely so the majority can be discarded (if the
lteraccepts only a small proportion of the traf 
c), the rejectedpackets can instead be discarded in the kernel, without suf-fering a context switch or data copying. Winnowing downthe packet stream as soon as possible greatly abets monitor-ing at high speeds without losing packets.The key to packet
ltering is, of course, judicious selec-tion of which packets to keep and which to discard. For theapplication protocolsthat Bro knows about, it captures everypacket, so it can analyze how the application is being used.In
tcpdump
's
ltering language, this looks like:
port finger or port ftp or tcp port 113 orport telnet or port login or port 111
That is, the
lter accepts any TCP packets with a sourceor destination port of 79 (Finger), 21 (FTP), 113 (Ident),23 (Telnet), 513 (Rlogin), and any TCP or UDP packets witha sourceordestinationportof111(Portmapper). Inaddition,Bro uses:
tcp[13] & 7 != 0
to capture any TCP packets with the SYN, FIN, or RST con-trol bits set. These packets delimit the beginning (SYN) andend (FIN or RST) of each TCP connection. Because TCP/IPpacket headers contain considerable information about eachTCP connection, from just these control packets one canextract connection start time, duration, participating hosts,ports(andhence,generally,theapplicationprotocol),andthenumber of bytes sent in each direction. Thus, by capturingon the order of only 4 packets (the two initial SYN packetsexchanged, and the
nal two FIN packets exchanged), wecan determine a great deal about a connection even thoughwe
lter out all of its data packets.The
nal
lter we use is:
ip[6:2] & 0x3fff != 0
which captures IP fragments, necessary for sound traf 
canalysis, and also to protect against particular attacks on themonitoring system 5.3.When using a packet
lter, one must also choose a
snap-shot length
, which determines how much of each packetshould be captured. For example, by default
tcpdump
uses3

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->