Abstract:
We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder's traffic transits. We give an overview of the system's design, which emphasizes highspeed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an "event engine" that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a "policy script interpreter" that interprets event handlers written in a specialized language used to express a site's security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog. We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the four applications integrated into it so far: Finger, FTP, Portmapper and Telnet. The system is publicly available in source code form. 1
Citations
|
607
|
End-to-end Internet Packet Dynamics
– Paxson
- 1999
|
|
452
|
End-to-end routing behavior in the Internet
– Paxson
- 1997
|
|
409
|
The BSD packet filter: A new architecture for user-level packet capture
– McCanne, Jacobson
- 1993
|
|
188
|
Empirically-Derived Analytic Models of Wide-Area TCP Connections
– Paxson
- 1994
|
|
171
|
Network intrusion detection
– Mukherjee, Heberlein, et al.
- 1994
|
|
169
|
Insertion, evasion, and denial of service: Eluding network intrusion detection
– Ptacek, Newsham
- 1998
|
|
138
|
Calendar Queues: A Fast O(1) Priority Queue Implementation for the Simulation Event Set Problem
– Brown
- 1988
|
|
86
|
Internet protocol specification
– Postel
- 1981
|
|
74
|
RPC: Remote procedure call protocol specification version 2
– Srinivasan
- 1995
|
|
68
|
XDR: External data representation standard
– Srinivasan
- 1995
|
|
62
|
Cooperating security managers: A peer-based intrusion detection system
– White, Fisch, et al.
- 1996
|
|
60
|
File Transfer Protocol (FTP
– Postel, Reynolds
- 1985
|
|
60
|
File Transfer
– Postel, Reynolds
- 1985
|
|
49
|
Implementing a generalized tool for network monitoring
– Ranum, Landfield, et al.
- 1997
|
|
44
|
libpcap, available via anonymous ftp to ftp.ee.lbl.gov
– McCanne, Leres, et al.
- 1994
|
|
37
|
Collaborative Load Shedding for Media-Based Applications
– Compton, Tennenhouse
- 1994
|
|
36
|
A Methodology for Testing Intrusion Detection Systems
– Puketza, Zhang, et al.
- 1996
|
|
30
|
The Finger User Information Protocol
– Zimmerman
- 1991
|
|
19
|
Telnet Option Specifications
– Postel, Reynolds
- 1983
|
|
19
|
Address Allocation for Private Internets", RFC
– Rekhter, Moskowitz, et al.
- 1918
|
|
16
|
Identification Protocol
– Johns
- 1993
|
|
15
|
Glish: A User-Level Software Bus for Loosely-Coupled Distributed Systems
– Paxson, Saltmarsh
- 1993
|
|
4
|
BSD Rlogin
– Kantor
- 1991
|
|
2
|
We do indeed see occasional multiple requests. So far, they have all appeared fully innocuous
– Systems, NetRanger
- 1999
|
|
2
|
flex, available via anonymous ftp to ftp.ee.lbl.gov
– Paxson
- 1996
|
