Course T8 – The Bro Network Intrusion Detection System

Seth Hall & Robin Sommer, International Computer Science Institute

Tuesday, December 6th, Full Day

The proposed course will give an introduction to the Bro network intrusion detection system, a flexible open-source software running on commodity hardware. The Bro system provides a powerful means for expressing network security analysis tasks at different semantic levels and is not tied to any particular detection approach. Bro achieves its rich, semantic processing by providing a domain-specific analysis language that makes it fully customizable to a site's security policy. Well grounded in more than 15 years of research, the system has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally by many scientific environments for securing their cyberinfrastructure. Bro's user community includes major universities, research labs, supercomputing centers, and open-science communities. The system has also been used in numerous research studies aimed at understanding the specifics of network traffic, often even independent of security aspects. The presenters are both members of Bro's core development team.

This course will provide attendees with an in-depth understanding of operating Bro installations. We will present an overview of the system's philosophy & architecture, and provide a step-by-step introduction to using the effectively in operational environments. We will in particular focus on major new functionality that we are currently developing for the next public Bro release, scheduled for fall 2011. After the course, attendees will be able to start building their own Bro setups and write tailored site-specific analysis scripts. We will also cover a range of more specific topics, including interfacing Bro with external applications, which will allow attendees to integrate the system into their existing setups.

The course's content will be partially based on past "Bro Hands-On Workshops" that we have held quite successfully at the San Diego Supercomputer Center in 2007 and at UC Berkeley in 2009; as well as on a former ACSAC tutorial held in 2009. These events were attended by network operators from academia, industry and government sites. The course hand-outs will include slides as well as a number of exercises for attendees to practice what they have learned.

Outline

This full-day tutorial will give an overview of the field of usable security with the focus on principles, approaches and research methods of usable security. A large number of real-life examples will be used to illustrate that it is feasible to develop security solutions that are simultaneously secure and usable. With the aim to enable participants to both evaluate and produce high-quality work in usable security, the tutorial is tentatively structured as follows:

  1. Bro Design Overview. System philosophy. Architecture
  2. Installing the Bro NIDS. Compilation & installation. Basic command-line usage
  3. Basics of Using Bro. Typical Bro usage. Basic customization
  4. Scripting Language Overview. Syntax. Data types. Example scripts
  5. Advanced Bro Scripting. State management & persistence. Signatures. Profiling & debugging
  6. Bro Communication. Inter-Bro communication. Interfacing with external applications.
  7. The Time Machine. Interfacing Bro with a packet bulk recorder
  8. The Bro Cluster. Architecture. Operation

Prerequisites

The course is primarily targeted at two groups of attendees: security staff of network environments considering an operational deployment of the Bro NIDS; and academic researchers and students with the need for a flexible network traffic analysis platform. We do not assume any prior knowledge about using Bro, though attendees should be familiar with Unix shell usage and have a comfortable understanding of Internet protocols and tools for examining network traffic (e.g., tcpdump or Wireshark).

About the Instructors

Mr. Seth Hall is a research engineer with the International Computer Science Institute where he acts as a developer and performs community outreach for the Bro-IDS project. Previously, Seth was employed by The Ohio State University's network security group where he built the worlds first operationally used Bro cluster and wrote numerous custom analysis scripts. He also spent a short time with GE building a new platform for their company-wide intrusion detection activities.

Dr. Robin Sommer is a staff researcher at the International Computer Science Institute in Berkeley, and he is also a member of the cyber-security team at the Lawrence Berkeley National Laboratory. His research focus is on network security monitoring in operational high performance settings, and he is one of the core developers of the Bro system. Robin co-chaired the 2010/2011 Symposiums on Recent Advances in Intrusion Detection, and he has served on numerous academic program committees and review panels. He holds a doctoral degree from TU Munich, Germany.