Firewall Wizards mailing list archives
revised paper on the Bro network-intrusion detection system
From: Vern Paxson <vern () ee lbl gov>
Date: Tue, 22 Feb 2000 01:36:35 PST
A revised version of the Bro paper, which appears in Computer Networks 31(23-24), Dec. 1999, is now available from: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz It has a number of tweaks over the USENIX version, none major, but together totalling a medium-grade revision. I've appended the abstract. Vern Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Network Research Group, Lawrence Berkeley National Laboratory and AT&T Center for Internet Research at ICSI (ACIRI) vern () aciri org We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder's traffic transits. We give an overview of the system's design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an ``event engine'' that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a ``policy script interpreter'' that interprets event handlers written in a specialized language used to express a site's security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog. We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the six applications integrated into it so far: Finger, FTP, Portmapper, Ident, Telnet and Rlogin. The system is publicly available in source code form.
Current thread:
- revised paper on the Bro network-intrusion detection system Vern Paxson (Feb 22)