MetaCartSign in to MyCiteSeer

Include Citations | Advanced Search | Help

Include Citations | Advanced Search | Help

  Bro: A System for Detecting Network Intruders in Real-Time (1999) [370 citations — 17 self]

Download:
Download as a PDF | Download as a PS
by Vern Paxson
Computer Networks
ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
Add To MetaCart

Abstract:

We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder's traffic transits. We give an overview of the system's design, which emphasizes highspeed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an "event engine" that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a "policy script interpreter" that interprets event handlers written in a specialized language used to express a site's security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog. We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the six applications integrated into it so far: Finger, FTP, Portmapper, Ident, Telnet and Rlogin. The system is publicly available in source code form. 1

Citations

632 End-to-end Internet packet dynamics – Paxson - 1999
472 End-to-end routing behavior in the Internet – Paxson - 1997
425 The BSD Packet Filter: A New Architecture for User-Level Packet Capture – McCanne, Jacobson - 1993
194 Empirically-derived analytic models of wide-area TCP connections – Paxson - 1994
181 Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Secure Networks Whitepaper – Ptacek, Newsham - 1998
178 Network intrusion detection – Mukherjee, Heberlein, et al. - 1994
144 Calendar queues: A fast o(1) priority queue implementation for the simulation event set problem – Brown - 1988
88 Telnet Protocol Specifications – Postel, Reynolds - 1993
77 RPC: Remote Procedure Call Protocol Specification Version 2 – Srinivasan - 1995
71 XDR: External Data Representation Standard – Srinivasan - 1995
63 Cooperating security managers: A peer-based intrusion detection system – White, Fisch, et al. - 1999
61 File transfer protocol (FTP – Postel - 1985
61 File Transfer – Postel, Reynolds - 1985
51 Implementing a Generalized Tool For Network Monitoring – Ranum, Landfield, et al. - 1997
44 Available via anonymous ftp to ftp.ee.lbl.gov – Jacobson, Leres, et al. - 1989
40 A methodology for testing intrusion detection systems – Puketza, Zhang, et al. - 1996
37 Collaborative Load Shedding for Media-Based Applications – Compton, Tennenhouse - 1994
30 The Finger User Information Protocol – Zimmerman - 1991
21 Telnet Option Specifications – Postel, Reynolds - 1983
20 Address Allocation for Private Internets", RFC – Rekhter, Moskowitz, et al. - 1918
16 Glish: a user-level software bus for loosely-coupled distributed systems – Paxson, Saltmarsh - 1993
16 Identification Protocol – Johns - 1993
4 BSD Rlogin – Kantor - 1991
2 We do indeed see occasional multiple requests. So far, they have all appeared fully innocuous – Systems, NetRanger - 1999
2 flex, available via anonymous ftp to ftp.ee.lbl.gov – Paxson - 1996
View or Download | Add to My Collection | Correct Errors