Bro
Frequently Asked Questions
What is Bro?
Why is an Intrusion Detection System (IDS) important?
What is a network based IDS system?
Are there other types of IDS besides network based?
How does Bro detect intrusions?
How does Bro analyze the traffic?
What are events?
What are policy scripts?
Can the scripts take action?
Can Bro automatically block hostile connections?
Why does Bro need a special language?
Do I need to learn the Bro language to run Bro?
I've heard of Snort. How is Bro different from Snort?
How do Bro's signatures work?
Can Bro use Snort signatures?
What do I need to run Bro?
Will Bro catch all intrusions?
A Unix based network based Intrusion Detection System
(IDS) developed by Vern Paxson at Lawrence Berkeley National Lab and the International
Computer Science Institute.
Computers connected directly to the Internet are subject
to relentless probing and attack.
While protective measures such as safe configuration,
up-to-date patching, and firewalls are all prudent steps they are difficult
to maintain and cannot guarantee that all vulnerabilities are shielded. An IDS
provides defense in depth by detecting and logging hostile activities.
An IDS system acts as "eyes" that watch for intrusions when other
protective measures fail.
An IDS is a system designed to detect and report unauthorized
attempts to access or utilize computer and/or network resources. A network-based
IDS collects, filters, and analyzes traffic that passes through a specific network
location. Bro monitors network traffic and detects intrusion attempts based
on the traffic characteristics and content.
The other common type of IDS is host-based. In a host-based
IDS each computer (or host) has an IDS client installed that reports either
locally or to a central monitoring station. The advantage of a host-based IDS
is that the internal operation and configuration of the individual computers
can be monitored. There are three primary drawbacks of a host-based IDS: (1)
It is harder to correlate network traffic patterns that involve multiple computers;
(2) Host-based IDSs can be very difficult to maintain in environments with a
lot of computers, with variations in operating systems and configurations, and
where computers are maintained by several system administrators with little
or no common practices; (3) Host-based IDSs can be disabled by attackers after
the system is compromised.
Bro analyzes network traffic against rules describing
what sort of activity is deemed troublesome. These rules might describe restrictions
on activity (e.g., only certain hosts can connect to certain services), policies
regarding what activity is worth alerting (e.g., attempts to a given number
of different hosts constitutes a "scan"), or signatures describing
known attacks or access to known vulnerabilities.
First Bro filters the traffic, discarding elements
of minimal important to its analysis. The remaining information is sent to its
"event" engine, where Bro interprets the structure of the network
packets and abstracts them into higher-level events describing
the activity. Finally, Bro executes policy scripts against the
stream of events, looking for activity that the rules indicate should generate
alerts or actions, such as possible intrusions.
Events are actions that take place on the network.
Examples of events might be a failed connection attempt, a connection established
between two computers, a successful authentication and login, a Web browser
requesting a URL, or the response sent back by the a Web server.
Policy scripts are programs written in the Bro language.
They contain the rules that describe what sorts of
activities are deemed troublesome. They analyze the network events and initiate
actions based on the analysis.
Yes. Scripts generate a number of output files recording
the activity seen on the network (including normal, non-attack activity). They
also can generate alerts signifying that a problem has been seen. In
addition, scripts can execute programs, which can terminate existing
connections, block traffic from hostile hosts (by inserting blocks into a router
access control list), send e-mail messages, or page the on-call staff.
Bro itself cannot block connections, but by using
its ability to execute programs, Bro's detection capabilities can be integrated
with network equipment that can create such blocks. For example, Bro can detect
a scan and send the attacking IP address to an external program that
can, in turn, insert an access control block into a router, thus stopping the
attacking IP from further scanning.
Bro's language is geared towards network analysis
in general and security analysis in particular. It understands network notions
such as "connections", "IP addresses", "ports",
and various network protocols. Its operators and functions are designed to ease
the task of expressing different forms of network analysis.
No. The standard distribution has a number of packaged
scripts that are used for most analysis needs. The Bro development team provides
ongoing support and improvement of these scripts. However, Bro users can certainly
modify, extend, or create scripts if they undertake learning the Bro language.
Bro provides mechanisms for easily incorporating site-specific enhancements.
Snort is solely signature based, meaning that
it looks for very specific content in the network stream and reports each instance
of a particular signature. Bro can analyze network traffic at a much higher-level
of abstraction, and has powerful facilities for storing information about past
activity and incorporating it into analyses of new activity. Bro also provides
a signature mechanism similar to Snort's, as discussed in the next question.
Like a number of other IDSs, such as Snort, Bro provides
a signature-matching facility that looks for specific traffic content. For Bro,
these signatures are expressed as regular expressions (for Snort, they are fixed
strings). Bro adds a great deal of power to its signature-matching capability
because its rich language allows it to not only examine the network traffic,
but to understand the context of the signature, therefore greatly reducing
the number of false positives, i.e., alerts that confuse uninteresting
activity with the important attack activity.
Bro includes Snort-compatibility support. The
Bro distribution includes a script, snort2bro, which converts a set of
Snort signatures into Bro signatures. Along with translating the format of the
signatures, snort2bro also incorporates a large number of enhancements
to the standard set of Snort signatures to take advantage of Bro's additional
contextual power and reduce false positives.
You need a single computer running a version of Unix
that is fast enough keep up with your network load. The computer will obviously
need an appropriate network card and enough disk space to log network transactions
for a period of time. In the near future, recommended performance requirements
for the computer, depending on operational factors, will be given at bro-ids.org.
In an operational environment, it is advantageous
to have an additional computer that simply captures and records all traffic.
This is commonly referred to as bulk tracing. Although
the sheer volume of traffic that bulk tracing collects makes long term storage
prohibitive, having a few days of bulk trace information available is extremely
valuable in reconstructing detected malicious activity.
No. Nothing can catch all intrusions. Intrusions are
devised and executed by intelligent people who are often actively trying to
avoid detection. A skilled attacker might be using little known techniques that
are very difficult to detect. However, experience has shown that most intrusions
are attempted by intruders who use standard, well-known techniques that they
have learned from others. Usually Bro can detect these. Even expert
attackers are susceptible to eventual mistakes leading to tell-tell signatures
that Bro will detect. In addition, rather than relying solely on unique signature
identification, Bro's more advanced features can often discern network anomalies
that are caused by hostile activity. Even if previously-unknown attack techniques
are use, they can often be detected by observing that the corresponding network
activity that violates the rules of expected traffic.
