Friday, June 9, 2017

What is BroIDS?

 
A short introduction of what is BroIDS (or shortly with general use Bro):
 
Bro Intrusion Detection System
 
BroIDS is an open-source, Unix-based,  network-based IDS. It was developed by Vern Paxson at Lawrence Berkeley National Lab and the International Computer Science Institute. As all NIDS, BroIDS monitors the network traffic to look for any suspicious activity. It parses the network traffic to dig out its application-level semantics and then executes event-oriented analyzers to compare the activities with patterns (whenever a suspicious activity is found on the network, IDS logs them, and those activities are used as patterns to check for similar activities). (1)
 
BroIDS is an open-source network security monitor which inspects network traffic looking for suspicious activity. The BroIDS framework provides an extensible scripting language that allows an analysis of application to protocol level traffic. All built-in and user added BroIDS scripts output data to log files which can be further analyzed to detect malicious activities. (2)
 
Features of BroIDS
 
  • network-based IDS
  • custom scripting language,
  • pre-defined policy scripts,
  • snort signature compatibility support,
  • powerful signature matching facility,
  • different approach of network analysis,
  • detection follows an immediate action. (1)
BroIDS detects definite and abnormal activities, such as certain hosts connecting to certain services, using signatures and patterns of failed connection attempts. As BroIDS logs all activities in detail, it is most useful in network forensic investigations. BroIDS is popular, as it targets high speed, high volume intrusion, and detects using powerful packet filtering techniques to accomplish the essential performance. (1)
 
Bro is not:
  • an IDS,
  • an IPS,
  • an alerting system,
  • a SIEM,
  • an awesome frontend,
  • a silver bullet, (3)
 
Analyzing the Traffic
 
First, BroIDS filters the network traffic and then the remaining information is sent to its event engine, where BroIDS interprets the structure of the network packets and abstracts them into higher-level  events  describing  the  activity. Lastly,  BroIDS  implements  policy  scripts against the events, looking for possible intrusions. (1) 
 
Policy scripts
 
BroIDS is an open-source network security monitor that has been in development since 1995. The power of BroIDS is in the extensible scripting engine that analyzes the packet data. There are a wide array of out-of-the-box, pre-written scripts that ship with BroIDS that analyze network traffic. These local scripts write to six different categories of logs; network protocols, files, detection, network observations, miscellaneous, and diagnostics. (2)
 
"Bro uses a specialized policy language that allows a site to tailor Bro's operation, both as site policies evolve and as new attacks are discovered.” These scripts are program written in BroIDS language and have all the rules describing the types of events which are potential intrusions and these policy scripts analyze the activities then initiate actions based on the analysis. It records the activities seen on the network as files and also generates alerts. It is a good idea to consider “Why Bro needs a special language?”, because this is a language which understands specific notions such as ports, IP addresses, connections  etc. and has a different approach to analyze the network to make the task easy. Users of BroIDS need not to learn the BroIDS language to run it. (1)

These scripts take action such as follows:ƒ
  • generating output files which have recorded events on the monitored network,
  • generating alerts if it sees a problem,
  • terminating the existing connections,
  • blocking traffic by placing blocks in to router ACL,
  • sends e-mail messages to the user to report events. (1)
BroIDS can analyze the network with deep levels of abstraction and stores all the past activities and integrate with new ones. (1)
 
BroIDS can inspect network traffic in real-time or look into a packet capture file that was previously recorded. As part of the analysis, BroIDS looks for known attacks in the same way a typical intrusion detection system would. The benefit of BroIDS is that all connections, sessions, and application level data are written to an extensive set of log files for later review. (2)
 
References: