Bro User Manual - ports - The GNU
Contents
1. 39 60 D directory structure 000008 50 download secsi erris each er iriri ieia Bees gates 7 download new Signatures 43 E e mail reports 0 eee eee ee 18 Editing Existing Signatures 43 Email sb ockeveesakk ord RUE ERE REA 3 F FAQ RRRRDDES 3 qom or cM S 57 G GPG chica ate Sarde deg PIQUE 10 11 H Hardware requirements 000 eeeeee 5 Hardware Tuning eseesse eee 46 host grep script seeeese eene 52 host to addrs script 0 000 cece eee eee 52 http log Masa RE REX Ya ils EX Rae hes 57 I Importing Snort Signatures Luu 43 inedit oie d oe kane ae dete le de bees 18 incident type 18 info log erencsrenei Hehe eee Sade RR 57 Installation instructions 00 T Ip pTep SCTIPt es cease dere Rr Ry b Pepe Hen 52 M managing disk space 0 cence 14 N Network Intrusion Detection System 2 network f ap e aee nn n mn 5 notice dog iis E AE EVE Peres LE YyRYdg Edu 57 O Offline Analysis 48 OS Tuning rosii irr ee eel e es bean vie 46 Appendix A Index P pid file oo ebae seb wad wher hed awe Pion ay 52 Policy Piles i555 o enr came Yes 35 Predefined Bro Notices llslue uu S R report generate separate host BR report period iae kipa cero e hok 18 rst executible 0 0 ce eee eee eese 50 Runn2. 25 the source has scanned a number of ports worm seen in remote host the answer returned by a DNS server differs from one previously returned prints Bro resource usage possible evasion usually just bad TCP implementation session data not consistent with connection blanket X509 error a summary of scanning activity output once day connection marked hot See ence Manual section on hot ids information DNS lookup of sensitive hostname addr default list of sensitive hosts NULL interactive login using sensitive username defined in hot the given combination of the service looked up via the pormapper the host requesting the lookup and the host from which it s requiesting it is deemed sensitive Refer for more 38 Chapter 7 Customizing Bro SensitiveSignature SensitiveUsername InPassword SignatureSummary SynFloodEnd SynFloodStart SynFloodStatus TRWAddressScan TRWScanSummary Terminating Connection W32B_SourceLocal W32B_SourceRemote WeirdActivity Note that some of the FTP FTP_BadPort and some do not This is becuase not all of the Bro Analyzers have been converted to use the Modules facility yet ModuleName signatures login signatures synflood synflood synflood trw irw conn blaster blaster Weird Notice generic for alarm worthy During a login dialog a sensitive username e g rewt was seen in the user s pass word This is reported as a notice
3. NOTICE IGNORE NOTICE FILE NOTICE ALARM ALWAYS do nothing send to notice file send to alarm file and syslog Chapter 7 Customizing Bro 40 NOTICE ALARM PER CONN send to alarm file once per connection NOTICE EMAIL send to alarm file and send email NOTICE PAGE send to alarm file and send to pager It is also possible to define your own custom notice actions By default all notices are set to NOTICE ALARM ALWAYS except for the following ContentGap AckAboveHole AddressDropIgnored PacketsDropped RetransmissionInconsistency By default all Alarms are also sent to syslog To disable this add redef enable syslog F To change the default notice action for a given notice add something like this to your site brohost bro file redef notice action filters WeirdActivity ContentGap ignore notice H This will cause the Notices WeirdActivity and ContentGap to no longer get logged anywhere To send these Notices to the Notice log file only and not to the Alarm log add this redef notice action filters WeirdActivity ContentGap file notice For NOTICE_EMAIL and NOTICE_PAGE email is sent using the script specified by the mail script variable default mail notice sh which must be in PATH To activate this mail_dest must be set Email is only sent if Bro is reading live traffic For example to send email on TerminatingConnection and FTP_Sensitive notices add something like this redef m
4. Report interval in hours 24 Email addresses for reports bro localhost Daily reports will be created Enter the site name you want to appear at the top and in the subject of all email reports The start time and interval define the window of network activity that the daily report will cover starting at Starting Report Time and last ing through Report interval The start time should be entered using 24hr clock notation For example 12 30AM 0030 2PM 1400 Do you want to encrypt the email reports Y N N Y Chapter 3 Installation and Configuration 9 If you want the email reports encrypted you will need to set up GPG http www gnupg org and create a GPG keyring containing the public keys of all email recipients Instructions for this are in Section 3 5 En crypted Reports page 10 Note PGP keys are com patible with GPG but the Bro supplied scripts require GPG not PGP Running script to determine your local subnets Your Local subnets 198 129 224 1 32 Bro needs to know a list of your local subnets bro_config runs a tool that attempts to discover this automatically You should always verify the results of this tool The format is a list of subnet significant bits of address For example 131 243 0 0 16 198 128 0 0 18 198 129 224 1 32 This information will be stored in the file BROHOME site local site bro Saving settings to file usr local bro etc bro cfg Bro configuration finished To chang
5. configure By default Bro is installed in usr local bro This location is referred to in the rest of the manual as BROHOME To install Bro in a location other than usr local bro use configure prefix path to bro By default Bro uses the version of libpcap that is installed on the system If your system version older than version 0 7 2 you can run configure Bro with enable shippedpcap to use the version of libpcap that comes packaged with Bro For example configure enable shippedpcap Then type make make install Or make install brolite Use make install to install all the Bro binaries and policy script files Use make install brolite to also run the configuration script described in the next section and install all the configuration files and cron jobs make install can be run as any user but make install brolite requires you to be root To update an existing Bro installation with new binaries and standard policy files instead of make install do a make update This will preserve all your local customizations Then add BROHOME bin and BROHOME scripts to your PATH to use Bro s utilities and scripts Also note that this documentation is installed in BROHOME docs as both HTML and PDF versions Chapter 3 Installation and Configuration 8 3 3 Bro Configuration The Bro Lite configuration script can be used to automatically configure or reconfigure Bro for you It checks your system s BPF settings creates a bro
6. tag 042 Where the tags indicate the following e i time e no notice e na notice action e sa source address e sp source port e da destination address e dp destination port e msg message in this case a host has scanned 20 hosts e tag identifier to match this to lines in notice log and conn log The alarm file format is designed to be easy to parse and interpret by programs not humans Chapter 5 Bro Output 16 5 2 2 Sample Alarm File Contents NOTE the examples in this section still use the old log format This needs to be updated Bro generates a number of types of alarms such as suspicious connection attempts directed at your systems address scanning port scans and attempts to gain access to user accounts We describe some of these in more detail here Vulnerability scans directed against systems The first category of suspicious connection attempts that Bro identifies and reports is vulnerability scans directed against systems Instead of burdening you with every vulnera bility scan no matter how tiny against systems that occurs it reports only scans that occur at or above its threshold in terms of a specified size such as the number of vulnerability scan attempts per second The following entry indicates that IP address 66 243 211 244 has scanned 10000 of your systems on tcp port 445 the port used by newer Windows systems such as Windows 2000 XP and Server 2003 for share access Nov 16 06 30 49 AddressScan 6
7. user account installs a script to start Bro at boot time installs the report generation package and installs a number of cron jobs to checkpoint Bro every night run periodic reports and manage log files To run this configuration script type bro_config This script creates the file BROHOME etc bro cfg bro_config will ask a number of simple questions Note that the full functionality of this script is only supported under FreeBSD Some additional configuration may need to be done by hand under Linux Sample output of bro_config along with explanation is shown below Running Bro Configuration Utility Checking interfaces Done Reading usr local bro etc bro cfg example for defaults The bro_config script looks first at bro cfg then usr local bro etc for default values to use below Bro Log archive location usr local bro archive This is the directory where log file archives are kept If you expect the log files to be very large it is recom mended to put these in a separate disk partition User id to install and run Bro under bro bro_config will create a new user account with this username if the user does not exist Interface names to listen on eni en2 bro_config looks for all network interfaces and does a short test to determine which interfaces see the most traffic and selects these interfaces as the default Site name for reports i e LBNL F00 COM BAZ ORG Starting Report Time 0600
8. Incidents and Alarms 34 If the attack used a specific little used port another investigation would be to search for other similar connection using that port Often the attacker might change attack hosts but will continue to use the same attack method example here NOTES You may want to go back several days weeks months or even years to see if the attacker has visited and perhaps compromised you site earlier without being detected However be forwarned that the conn logs tend to get very large and doing extensive searches can take a very long time 6 6 3 Odd Activity Despite attempts to have the network community adhere to network standards non compliant traffic occurs all the time The weird logs are a record of instances of network traffic that simply should not happen While these logs are usually of interest to the most hard core of network engineers if a unique attack is detected it is sometimes valuable to search the weird logs for other unusual activities by the attacking host Hackers are not bound by standard protocol and sometimes find ways to circumvent security via weird methods 6 7 Examine the Bulk Trace if Available For information on using the Bulk trace files for analysis see Chapter 10 Bulk Traces and Off line Analysis page 48 6 8 Contact and Question Appropriate People The final and usually the most definitive investigation is to call the owners of the hosts involved Often a call to
9. because it could be that the login analyzer didn t track the authentication dialog correctly and in fact what it thinks is the user s pass word is instead the user s username summarize number of times a host triggered a signature default 1 day end of syn flood against a certain victim A syn flood is defined to be more than SYN FLOOD_THRESHOLD default 15000 new connections have been reported within the last SYNFLOOD INTERVAL default 60 seconds for a certain IP start of syn flood against a certain victim report of ongoing syn flood source flagged as scanner by TRW algorithm summary of scanning activities reported by TRW rst command sent to connection origin connection terminated triggered in the fol lowing policies ftp and login forbidden user id hot connection from host with spoofed IP address report a local W32 Blaster infected host report a remote W32 Blaster infected host generic unusual alarm worthy activity 39 names start with ModuleName e g Eventually all notices will start with To get a list of all Notices that your particular Bro configuration might generate you can type sh BROHOME etc bro cfg bro z notice BRO_HOSTNAME bro 7 3 Notice Actions Notices that are deemed particularly important are called Alarms Alarms are sent to the alarm log file and to optionally to syslog The standard Bro distribution supports a number of types of notice actions these are
10. can control the signature action levels through the file BROHOME site sigaction bro You can set the signature action to the one of the following SIG_IGNORE ignore this sig completely SIG_FILE write to signatures and notice files SIG_ALARM alarm and write to notice and alarm files SIG_ALARM_PER_ORIG alarm once per originator SIG_ALARM_ONCE alarm once and then never again All signatures default to action SIG ALARM To lower the alarm level of the signature add an entry to the file BROHOME site sigaction bro The Bro distribution contains a default sigaction bro file that lowers the level of a number of signatures from ALARM to FILE notice To permanently remove a signature you can delete it from the sig file 7 6 2 Add a New Signature To add a new signature to a running Bro add the signature to the file BROHOME site site sig or create a new sig file in BROHOME site and then restart Bro using BROHOME etc bro rc checkpoint A sample signature looks like this Chapter 7 Customizing Bro 43 signature formmail cve 1999 0172 ip proto tcp dst ip 1 2 0 0 16 dst port 80 http formmail recipient amp 1 event formmail shell command For more details see the reference manual 7 6 3 Editing Existing Signatures Bro supplied signatures are in BROHOME sigs You should not edit these as they will get overwritten when you update Bro Instead make your modifications in BROH
11. event connection_established c connection local id c id local service id resp_p local inbound is_local_addr id resp_h if inbound amp amp id resp_h service in allow_my_services NOTICE note SensitiveConnection conn c msg fmt hot As full_id_string c 1 if inbound amp amp service in terminate successful inbound service terminate connection c To test this you might do the following First generate some offline data to play with tcpdump s O w trace out port smtp or port http Kill off the tcpdump after capturing traffic for a few minutes use ctrl C Then add the above Bro code to your hostname bro file and run Bro against this captured trace file setenv BROHOME usr local bro setenv BROPATH BROHOME site BROHOME policy bro r trace out hostname bro 7 6 Signatures NOTE Bro Signatures mechanism is still under development Signatures in Bro are quite different than standard packet matching signatures such as those used in Snort A Bro signature or Rule is a contezrtual signature that can include connection level information Hence Bro signatures generate far fewer false positives Chapter 7 Customizing Bro 42 However Bro s contextual signatures are fairly CPU and memory intensive and still generate more false positives than we d like so for now they are turned off by default See the next section for information on how to turn them on For example an packet l
12. in using an SQL attack and then down loaded a tool using TFTP Both of these were detected and created the fol lowing alarms Alarm SensitiveSignature 1 bro 687 5 MS SQL xp cmdshell program execution 7 29 12 43 31 84 136 338 21 gt 124 333 183 62 566 tcp gt 1433 tcp Signature code signature bro 687 5 ip proto tcp dst port 1433 event MS SQL xp_cmdshell program execution tcp state established originator payload xX Nx0O pP x00_ x00 cC x00 mM x00 dD x00 sS x00 hH x00 eE Nx00 1L x00 1L x00 payload xp_cmdshell echo gt c temp bcp cmd Alarm SensitiveSignature 2 bro 1444 3 TFTP Get 7 29 12 43 31 84 136 338 21 gt 124 333 183 62 2318 upd gt 69 udp Signature code signature bro 1444 3 ip proto udp dst port 69 event TFTP Get payload x00 x01 payload Runtime exe annotation Looking at the C column below the alarms are signified by 1 and 2 both occuring at 12 43 81 Since the attacks take place within one second this is probably an automated attack The remote host continues to connect to the victim host using a different port each time to avoid detection The large transfers from the local host to the remote host subsequent to the alarmed attacks signifies that the attack is probably successful Connections only first 25 after first alarm are listed time byte remote local byte date time duration transfer port C I port transfe
13. inconsistency in packets sent by a system at IP address 131 243 223 212 to origin2 microsoft com Nov 16 06 30 59 RetransmissionInconsistency 131 243 223 212 2270 gt origin2 microsoft com http M rexmit inconsistency HTTP 1 1 200 OK M JDate Tue 16 Nov 2004 5 3 Connection Summary File See the Connection Summary section in the reference manual for a description of the conn log files 5 4 Analyzer specific Files A number of analyzers such as HTTP and FTP generate their own log files These files are fairly self explanatory coming soon sample http log ftp log etc 5 5 Tracefiles Bro can be configured to output captured packets that look to be part of suspicious sessions These files are in tcpdump format Chapter 5 Bro Output 18 5 6 Bro Summary Reports NOTE The Bro report facility is still under development This section may be out of date Bro reports are generated using the site report p1 script which is typically run as a nightly cron job A daily report is created that covers three sets of information e Incident information e Operational status of Bro e General network traffic information The reports will be mailed to the email addresses specified during Bro installation These email addresses can be changed by re running the bro_config script or by editing BROHOME etc bro cfg directly The report is divided into three parts the summary incidents and scans The summary includes a rollup of incident informatio
14. redef drop connectivity script my drop script At LBL we use a program called acld to update the ACLs in our boarder routers on the fly This code is available at ftp ftp ee Ibl gov acld tar gz Chapter 9 Performance Tuning 46 9 Performance Tuning NOTE This chapter still a rough draft and incomplete If the link you are monitoring with Bro has too many connections per second or if you have too many policy modules loaded it is possible that Bro will not be able to keep up and that the Bro host will drop too many packets to be able to perform accurate analysis A rule of thumb for Bro is that if CPU usage is lt 50 and memory use is lt 70 of physical memory than you should not have any worries Otherwise you might want to explore the tuning options below For sites with an extremely high load you might consider using multiple Bro boxes each configured to capture and analyze different types of traffic Note that the amount of CPU required by Bro is a function of both the number of connections second and the number of packets second So it s possible that a large site e g 2 000 hosts on a slow link e g 100 Mbps would still have performance issues because it has a very large number of connections second 9 1 Hardware and OS Tuning If your CPU load gt 50 or your memory footprint is gt 70 of physical memory an obvious solution is to buy a faster CPU or more memory If this is not possible here are s
15. the owner of the local host can reveal that the activity was not normal but appropriate or a mistake Chapter 7 Customizing Bro 35 7 Customizing Bro Bro is very customizable and there are several ways to modify Bro to suit your environment You can write your own policy analyzers using the Bro language Most sites will likely just want to do minor customizations such as changing the level of an alert from notice to alarm or turning on or off particular analyzers The chapter describes how to do these types of customizations Information on how to write your own analyzers can be found in the Bro Reference Manual The default policy scripts for Bro are all in BROHOME policy These files should never be edited as your edits will be lost when you upgrade Bro To customize Bro for your site you should make all your changes in BROHOME site Many simple changes just require you to redefine using the redef operator a Bro constant from a standard policy script with your own custom value You can also write your own custom script to do whatever you want For example to add guest to the list of forbidden_ids user names that generate a login alarm you do this redef forbidden_ids guest In this chapter we give an overview of all the standard Bro policy scripts what notices they generate and how to customize the most commonly changed items and how to write new policy modules 7 1 Builtin Policy Files Bro policy sc
16. website There is no need to investigate further 6 6 Examine the Connection and Weird Logs The connection logs are a record of every connection Bro detects Although they don t contain content being able to track the network movement of an attacking host is often very useful 6 6 1 Breakin Indicators If it is still not clear if a suspect host is an attacker the connection surrounding the suspi cious connection can be examined Here are some questions that might be answered by the conn logs itemize item How many more successful connection the attacker make to the target host item How much data was transfered A lot of data means something more than an unsuccessful probe item Did the target host connect back to the attacker This is a fairly sure sign of a successful attack The attacker has gained control of the target and is connecting back to his own host item What was the time duration If several attacks occur in a very short time and then slow down to human speed it could indicate the attacker used an automated attack to gain control and then switched to a manual mode to work on the compromised target host 6 6 2 Connections to Other Computers If a host has been successfully identified as an attacker it is useful to know what and how many other hosts the attacker has touched This can be found by grepping through the conn logs for instances of connections by the suspect host example here Chapter 6 Analysis of
17. 1 Converted Snort Signatures Since Snort signatures are usually fairly well documented one way to discover the intent of the signature is to search the web for the title of the signature using any of the common search engines Yahoo Google Teoma AltaVista or one of the may others For instance a search on the MS SQL xp_cmdshell vulnerability yields 7000 hits One of those hits is Zone H org Advisories Successful exploitation of this vulnerability can enable an attacker tof execute commands in the system via MS SQL xp cmdshell function www zone h org advisories read id 4243 17k Cached Similar pages Chapter 6 Analysis of Incidents and Alarms 32 This web site give a fairly detailed description of the exploit and verifies that it can be used to root compromise a computer and hence is a vulnerability of significant inter est Several other sites also give details about the signature the attack and other useful information 6 4 2 Embedded Bro Rule Unfortunately most of the embedded Bro rules have not been documented The analyst must rely on his her own understand of network attacks to guess what the intent of the rule is Sometimes useful comments are written into the Bro policy source 6 5 Examine HTTP FTP or SMTP Sessions These three files record session activity on ports 80 http 21 ftp and 25 smtp respectively If the alarm involves any of these ports these files may reveal the details of the sessio
18. 30 262 101 6 276 M 2200 M 13064 124 333 34 186 66 263 169 170 389 M 2095 M 17919 132 257 195 68 140 267 28 48 91 3 M 2029 M 6275 132 257 212 232 151 293 199 65 39155 1994 M 24 124 333 41 61 206 290 82 18 3401 1853 M 22 132 257 64 3 61 278 72 30 1798 M T 1 124 333 181 191 61 263 209 246 16 8 M 1676 M 113 132 257 64 3 261 232 163 3 1544 M 24069 9 132 257 64 3 61 273 210 110 1517 M 4140 7 124 333 34 186 128 342 121 70 1351 M 222M 14861 132 257 64 3 258 14 200 58 1350 M 24075 14 132 257 64 3 222 330 100 28 1219 M 4077 7 132 257 64 3 210 261 41 131 1162 M 25 3 Chapter 6 Analysis of Incidents and Alarms 28 6 Analysis of Incidents and Alarms Rule one There are no rules This section describes a specific procedure that can be followed with each incident that Bro uncovers but one must keep in mind that intrusion detection is not a static problem The perpetrators of intrusions and malicious network activity are constantly changing their techniques with the express purpose of evading detection Unexpected activities are often found by investigation of seemingly innocuous network oddities or serendipitous inspection of logs While Bro is an exceptionally useful tool for collecting sorting analyzing and flagging suspect network data it cannot be expected to flag all new cleverly disguised attacks Nor can it be expected to differentiate with 100 accuracy between aberrant but legitimate user behavior and a malicious attack Sometimes a str
19. 6 243 211 244 has scanned 10000 hosts 445 tcp Important note If the source of a scan is an IP address within your own network the probability that this system is infected or has been taken over by an attacker is very high At the bottom portion of each Bro report summaries of scan activity also will appear for your convenience see the bottom part of Figure 1 Scan summaries look like the following Nov 16 8 01 30 11 ScanSummary 194 201 88 100 scanned a total of 145 hosts Port scanning Port scanning means that a system has targeted one system connecting to one port then another until it has scanned a whole range of ports In the following example a system with an IP address of 218 204 91 85 has scanned 50 ports of a system named diblys dhcp within an internal network Nov 16 06 30 50 PortScan 218 204 91 85 has scanned 50 ports of siblys dhcp An address dropped entry is likely to appear shortly after a port scan is reported In the following entry the system with an IP address of 218 204 91 85 was systematically probing low ports that is ports in the range from 0 to 1023 on sibyls dhcp Nov 16 06 30 52 AddressDropped low port trolling 218 204 91 85 403 tcp Connection attempts Bro finds attacks against user accounts such as password guessing attempts When it does it reports them as follows Need example here Weird events Bro labels unusual or exceptional events as weird Weird events include a wide range of events inclu
20. Bro User Manual version 0 9 12 1 2004 DRAFT Vern Paxson Jim Rothfuss Brian Tierney Contact vern icir org http www bro ids org This the User Manual for Bro version 0 9 This software is copyright 1995 2004 The Regents of the University of California and the International Computer Science Institute All rights reserved For further information about this notice contact Vern Paxson email vern icir org Table of Contents 1 Overview of Br0 sv SERE ES E 2 ld Whbat is BrO oed e ERE rh d Rat ASH dein ded 2 1 2 Bro features and benefits 0 0 0 0 cece eee eee eee eee 2 1 3 Getting more Information 0 0 c eee eee eee ee 3 ELOeGuIPernate 8a 5 6 54 2 or ROC v dE POL seo RR Eu 5 2 1 Network Tap eben messe reme denied od teed anes 5 2 2 Hardware and Software Requirements 00000 5 Installation and Configuration 7 34 Download esasa 4 8 anthem Ft UR eed aei tue Eran 7 D2 Install sedate ga ett pete itt x a Wenge ti BAGS URN in 7 3 0 Bro Contisuratlons ose eo Re PERDRE HERRERA bed sabe yee 8 3 4 OS Configuration sseeeeeee hme 9 3 5 Encrypted Reports cn 2 02 sen ede Rr d be bee tage bee 10 3 6 Generating Reports on a Separate Host liiis elus 1i Running BrO 23232 oddea wide sontcaeseds lt eae 13 4 1 Starting Bro Daemon 0 0 00 eee ee eee 13 4 2 Running Bro from the command line 0 13 4 3 Bro Cron Scripts espernas par
21. Chapter 7 Customizing Bro HTTP HTTP_ SensitiveURI HotEmailRecipient http smtp ICMP ICMPAsymPayloadcmp ICMP ICMPConnectionPanp IdentSensitiveID LocalWorm LoginForbidden ButConfused Multiple SigResponders MultipleSignatures Multiple SigResponders OutboundTFTP PasswordGuessing PortScan RemoteWorm Resolver Inconsistency Resourcesummary Retransmission Inconsistency SSL_SessConIncon SSL_X509Violation ScanSummary SensitiveConnection SensitiveDNS_ Lookup SensitiveLogin Sensitive PortmapperAccess ident worm login signatures signatures signatures tftp scan scan worm dns print resources weird ssl ssl scan conn dns login portmapper Sensitive URI in GET POST HEAD default sensitive URIs de fined http request bro e g etc passwd shadow netconfig XXX Need Example default NULL Payload in echo req resp not the same Too many ICMPs between hosts default 200 Sensitive username in Ident lookup Worm seen in local host searches for code red 1 code red 2 nimda slammer Interactive login seen using forbidden user name but the analyzer was confused in fol lowing the login dialog so may be in error host has triggered the same signature on multiple responders host has triggered many signatures host has triggered the same signature on multiple responders outbound TFTP seen source tried too many user password com binations default
22. Files print filter bro print globals bro print resources bro print sig states bro profiling bro reduce memory bro remote pcap bro remote print bro remote bro scan bro secondary filter bro signatures bro signatures bro old site bro smtp relay bro smtp rewriter bro smtp rw bif bro smtp bro snort bro software bro ssh stepping bro ssh bro ssl alerts bro ssl ciphers bro ssl errors bro ssl worm bro ssl bro stats bro stepping bro synflood bro tcp bro tftp bro trw bro udp bro vlan bro weird bro worm bro 56 Appendix A Bro Directory and Files 57 A 6 The bro site Directory signatures sig To be completed A 7 The bro logs Directory All logs take the form type hostname start_date time end_date time The date time stamps for each record in the files are always in UNIX ticks since epoch format type is one of the following alarm Network occurrences that are determined to be of high importance will be written into the alarm file The determination is made by the Bro policy scripts Local site modifications can override default Bro alarms or create new ones that are site specific Each entry contains the date time the alarm type and a description of the alarm This file is usually the starting point for investigation Each alarm should be evaluated for further follow up action conn All network connections detected by Bro are recorded in this file A connection is defined by an initial pack
23. Is but can be generated by worms http request bro const skip remote sensitive URIs cgi bin phf php cgil http request bro const sensitive_post_URIs wwwroot WWWROOT amp redef http request bro if sensitive URIs in URI amp amp URI worm_URIs http request bro method POST amp amp sensitive post URIs in URI http request bro Skip remote sensitive URIs in URI Clearly http request bro is the file of interest If in the case of other types of analyzers more than one file appears look for the place where the const statement is used to declare the variable s Look into the policy file Search in the section of Bro policy code that describes the rule s for the specific notification In the file http request bro is found export const sensitive_URIs etc passwd shadow netconfig IFS t nph test cgi Z0al binletclusr tmp N Admin filesV orderN 1og carbo d11 cgi bin phf phpN cgiltest cgi cgi dos args bat cgi win uploader exe search97 vts tk tgz ownz somewhat prone to false positives amp redef URIs that match sensitive URIs but can be generated by worms and hence should not be flagged because they re so common const worm_URIs Chapter 6 Analysis of Incidents and Alarms 31 c dir cool dll Admin dll Admin dll amp redef redef capture
24. OG BE 2e Gay es eae KU Ene ip Mi a anai 8 bro cfg HIG orci ci see eres ees asad ERE ES DES 51 bro cfg example file 000 51 DYO Tsa dadada eu kh ed erobert iba 13 bro re file 12 sangace ng hale oe ad eee g eee pais 51 bro rc hooks sh file 00 000008 51 bro archive Directory 0 0 0000 59 bro bin Directory 0 0 0000000000 50 bro etc Directory 0 0 000 c cece eee 51 bro logs Directory e reti sees 57 bro pm Directory 0 000002 e eee 52 bro policy Directory 00 e eee ee eae 53 bro scripts Directory 0 00 00005 52 bro scripts pm Directory 0 52 bro site Directory sees eese 57 bro var Directory esee eee 52 brosCOBHg uuu cites atta we OUR upra arte 8 bro_generate_report 0 0 cee eee eee eee 14 bro_log compress 0 00 eee eee ee eee 14 bro log compress sh script 0000 52 BROHOMB enir4d axe dec ee bp anid T Bulk Traces o sucer er dg mcer vo p Re 48 C cf executible 2 cece eee ee eee eee 50 checks disks 2ich4ise86 waa atu wand had aA REA 14 Configuration instructions 12 CONMIOR sese deo wesw awl oe cede Fabra eph 57 connection history 0 0 eee eee 18 connection successful lesse 18 connection unsuccessful 0 0 aunen 18 Customizing Builtin Policy 40 Customizing Notice Actions
25. OME site If you use the same signature ID as an existing signature the site sig will take precedence 7 6 4 Importing Snort Signatures New snort signatures come out almost every week To add these to Bro do the following XXX section not done Add instructions for incorporating new sigs from Snort 7 6 5 Checking for new Signatures from bro ids org note this functionality is currently under development and does not yet exist The Bro team will be constantly updating our set of default signatures and posting them on the Bro web site To download the latest signatures and incorporate them into your Bro setup run the script BROHOME scripts update sigs This script uses the wget command to download the latest signatures and puts them into the required Bro files and then restarts Bro to load the new signatures 7 7 Tuning Scan Detection There are a large number of tunable parameters in the scan analyzer all of which are described in the reference manual Most of these parameters should be fine for all sites The only settings that you may want to tune are e report peer scan Generate a log message whenever a remote host has attempted to connect to the given number of distinct hosts Default 100 1000 10000 3 e report outbound peer scan Generate a log message whenever a local host has at tempted to connect to the given number of remost hosts Default 1 100 1000 Hh e skip services list of ports to ignore scans on b
26. a nini nia neia eee hn 14 Bro EIHEDIH 2 oria ooo R yes Dd as Rd e a 15 Dl Rotating Log biles 1 222 y np RIbevR R4 RDREPEREA 15 52 Alarm PP TP 15 5 2 1 Alarm File Format 00000 e 15 5 2 2 Sample Alarm File Contents 0 0200eeeee 16 5 3 Connection Summary File 0 cee eee eee 17 5 4 Analyzer specific Files cece esses 17 pipe Tracefiles 24 4 0 rnorti rrr rA Ped Rendre ete a IT 5 6 Bro Summary Reports 0 0 cece eee eee 18 5 6 1 Parts of a Report 0 ete eae 18 5 6 2 Annotated Example Report 00000000e sees 20 Analysis of Incidents and Alarms 28 6 1 Two Types of Triggers 0 cece cece ee 28 6 1 1 Converted Signatures 0 0 0 ce cece ee eee 28 6 1 2 Embedded Bro Rule 00 e cee eee 28 6 2 General Process Steps 00 c cece eect ene 29 6 3 Understand What Triggered the Alarm s Lesser 29 6 3 1 Converted Snort Signatures 0 0 0 ccc eee eee eee 29 6 3 2 Embedded Bro Rule 0 eee eee eee 30 6 4 Understand the Intent of the Alarm s 05 21 6 4 1 Converted Snort DIgriabur s ossse ds eee een sees 31 6 4 2 Embedded Bro Rule 0 cee eee eee 32 6 5 Examine HTTP FTP or SMTP Sessions 32 6 6 Examine the Connection and Weird Logs 33 6 6 1 Breakin Indicators 0 cece eee 33 6 6 2 Connections to Other Co
27. ail_dest youremail yoursite edu redef notice action filters TerminatingConnection FTP FTP_Sensitive send email notice rs 7 4 Customizing Builtin Policy The default policy scripts for Bro are all in BROHOME policy Remember that these files should never be edited as your edits will be lost when you upgrade Bro To customize Bro for your site you should make all your changes in BROHOME site Many simple changes just require you to redefine using the redef operator a Bro constant from a standard policy script with your own custom value You can also write your own custom script to do whatever you want Here are some example of the types of things you may want to customize To add guest to the list of forbidden_ids user names that generate a login alarm you do this Chapter 7 Customizing Bro 41 redef forbidden ids guest To add a new rootkit string to HTTP sensitive URIs redef HTTP sensitive URIs rootdown pl 7 5 Writing New Policy For example if your site only allows external http and mail to a small controlled lists of hosts you could write a new bro file containing this const web servers www lbl gov www bro ids org const mail servers smtp lbl gov smtp2 lbl gov const allow my services set addr port 1 mail servers smtp web servers httpl Bro can then generate an Alarm or even terminate the connection for policy violations For example
28. an in turn send e mail messages page the on call staff automatically terminate existing connec tions or with appropriate additional software insert access control blocks into a router s access control list With Bro s ability to execute programs at the operating system level the actions that Bro can initiate are only limited by the computer and network capabilities that support Bro e Snort Compatibility Support The Bro distribution includes a tool snort2bro which converts Snort sig natures into Bro signatures Along with translating the format of the signatures snort2bro also incorporates a large number of enhancements to the standard set of Snort signatures to take advantage of Bro s additional contextual power and reduce false positives 1 3 Getting more Information e Reference manual e FAQ An extensive reference manual is provided detailing the Bro Policy Lan guage Several Frequently Asked Questions are outlined in the Bro FAQ If you have a question not already covered in the FAQ send it to us and we ll add it e E mail list Send questions on any Bro subject to bro bro ids org The list is frequented by all of the Bro developers You can subscribe by going to the website http mailman icsi berkeley edu mailman listinfo bro or by placing the following command in either the subject or the body of a message addressed to bro request icsi berkeley edu subscribe password digest option address lt addr
29. analy Performs statistical analysis backdoor Looks for backdoors passwords Looks for clear text passwords file flush Causes all log files to be flushed every N seconds Why off by default Turn on if needed CPU intensive and low payoff CPU intensive and low payoff historical no longer interesting Turn this on if you want to know about this still experimental Possibly too CPU intensive needs more testing only used in off line alalysis only effective when also capturing bulk traffic may want to turn on if your site does not allow clear text passwords may want to turn on if you are doing real time analysis To modify which analyzers are loaded edit or create a file in BROHOME site If you write your own new custom analyzer it goes in this directory too To disable an analyzer add unload policy bro to the beginning of the file BROHOME site brohost bro before the line load brolite bro To add additional analyzers add them load them in BROHOME site brohost bro Chapter 7 Customizing Bro 37 7 2 Notices The primary output facility in Bro is called a Notice The Bro distribution includes a number of standard of Notices listed below The table contains the name of the Notice what Bro policy file generates it and a short description of what the Notice is about Notice Policy Description AckAboveHole weird Could mean packet drop could also be a faulty TCP implementation AddressDropIg
30. and Alarms 33 gt grep 473280 http hostname 04 11 22 12 52 42 cf Nov 22 15 18 30 473280 start 128 333 48 179 80 143 378 186 Nov 22 15 18 30 473280 GET fitness default htm 200 OK 10473 Nov 22 15 18 30 473280 GET javascripts cms_common js 304 Not Modified 0 Nov 22 15 19 47 473280 GET food nutrition default htm 200 OK 13177 Nov 22 15 19 47 473280 GET NR rdonlyres eirwwu3xtlr22dkat5cim4ziupouzxb6kz4xb zbr4zs255cab7cvvbmhcjcrmrfg6kpcrevyndo2za3yoibesheiolf Newsiii904Dairy NotFor Diet jpg 200 OK 6572 Nov 22 15 19 51 473280 GET NR rdonlyres 0D25692F D59A 4B90 AB53 8BBC9E75A286 gif 200 OK 189 Nov 22 15 19 51 473280 GET NR rdonlyres eqpbdbex34wpqpagp2fcbxh35omcjtq45feyf 7l zgtjffOfhrybfbsvtszeu4rc2clayghhslfimaafkoocae6cv6wof doctor jpg 200 OK 161 5 NR rdonlyres enhskrfoodzuquvmb1i2hasjspusrgsvyhbd3nlue5msoli2ueagrwdxw56gqall aa7sosee3yn2hwywcg6kgv4wcv6jc bigback gif 200 OK 8192 interrupted NR rdf onlyres ej2cpd275ghrefp23ezou43haqe6fmj3oyeqxkvopf4bv4zhwbqimfrrbndqpotxbb5pogc7l xiqvdcovaxo66afyqfof smallleg jpg 200 OK 1010 Nov 22 15 22 12 473280 GET NR rdonlyres eirownz4tqwlseoggqm2ahjb5cqsdbedlaxyye7l kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb smallshoulders gif 200 B OK 1134 Nov 22 15 22 13 473280 GET NR rdonlyres 49D86A33 AF6C 4873 AD11 F26DDBF222B1 gj if 200 OK 167 By examining this session it can clearly be seen that the session is simply a web visit to a fitness
31. ap performance These include Phil Wood s libpcap replacement see http public lanl gov cpw Luca Deri s patch to fix libpcap issues see http luca ntop org Ring pdf Note that Phil Wood s version of libpcap seems to be buggy in non blocking mode Build Bro using the disable selectloop option to disable non blocking mode if using this version of libpcap 9 2 Bro Policy Tuning If the hardware and OS tuning solutions fail to bring your CPU load or memory con sumption under control next you will have to start turning off analyzers Signatures are particularly CPU and memory intensive so try turning it off or greatly reduce the number of signatures it is processing The HTTP analyzers are also CPU intensive For example to turn off the HTTP reply analyzer add the following lines at the beginning of the file BROHOME site brohost bro before any load commands unload http reply Another solution is to modify libpcap filter for Bro This is done by adding restrict filters For example to only capture SYN FIN packets from a large web proxy you can do this redef restrict filters not proxy outbound Web replies not host bigproxy mysite net and src port 80 and tcp 13 amp 7 0 This filter will allow you to record the number and size of the HTTP replies but will not do further HTTP analysis Another way to reduce the CPU load of Bro analysis is to split the work across two Bro hosts An easy way to
32. arms AddressDropped AddressScan BackscatterSeen ClearToEncrypted_SS Count Signature DNS DNS_MappingChanged DNS DNS_PTR_Scan FTP FTP_BadPort FTP FTP_ExcessiveFilename FTP FTP_PrivPort FTP FTP_Sensitive FTP FTP_UnexpectedConn HTTP HTTP_SensitiveURI HotEmailRecipient ICMP ICMPAsymPayload ICMP ICMPUnpairedEchoReplyICMP ICMP ConnectionRl ntSensitivel D LoginForbiddenBut Confused LocalWorm MultipleSigResponders MultipleSignatures Outbound TFTP PasswordGuessing PortScan RemoteWorm ResolverInconsistency SSH Overflow SSL SessConIncon SSL X509Violation Chapter 6 Analysis of Incidents and Alarms 29 ScanSummary SensitiveConnection SensitiveDNS_Lookup SensitivePortmapper Access SensitiveLogin SensitiveSignature SensitiveUsernamelnPassword SignatureSummary SynFloodEnd SynFloodStart SynFloodStatus TRW TRWA ddressScan TerminatingConnection W32B_SourceLocal W32B_SourceRemote Zone Transfer 6 2 General Process Steps The following steps will both aid the Bro user with uncovering network activity of interest and also help acquaint the user with the anomalies that Bro detects together building up an understanding of what constitutes normal network traffic for the local site The analyst might follow each successive step with each incident until a firm determination is made if the incident is malicious or a false positive e Understand What Triggered the Alarm s e Understand the Intent of the Alarm s e Examine the Session s fr
33. ation is off by default To enable it redefine the following flag in your site site local bro file redef activate terminate connection T Connections are terminated using the rst program which is installed in BRO HOME bin To use this program change the file permission to be setuid root Whenever a connection is terminated you will see a TerminatingConnection alarm If Bro detects a connection that Bro thinks is a candidate for termination but activate terminate connection F then you will see the alarm IgnoreTerminatingConnection You may want to add a number of services to the list of forbidden services For exam ple to terminate all successful attempts to access the RPC portmapper via TCP from an external network you would add this redef terminate successful inbound service 111 tcp disallow external portmapper F This will prevent NFS connections from external hosts P2P services such as KaZaa can also be terminated in this manner You can make exceptions to terminate_successful_ inbound_service by redefing allow_services_to See hot bro for details 8 2 Updating Router ACL Bro can be used to send the IPs of scanning or attacking hosts to your router so that the router can drop these hosts Since every router does this differently you will need to write a script that works for your router To active your custom drop script add this to your hostname bro file load scan redef can drop connectivity T
34. bro Oprefixes local load site file generated by the network script for dynamic config of the local network subnets Make any changes to policy starting here The eload site will load the local site bro file from BROHOME site If you are making changes you should make them in myhost mysite bro file Bro can also be run on tcpdump w files instead of on live traffic To do this you must set a BROPATH enviroment variable to point at your set of policy scripts For example in csh setenv BROHOME usr local bro setenv BROPATH BROHOME site BROHOME policy bro r dumpfile brohost More information on Bro run time flags and environment variables is available in the Reference Manual Chapter 4 Running Bro 14 4 3 Bro Cron Scripts Installing brolite automatically creates the following cron jobs which are run on at the specified intervals e site report pl generates a text report of all alarms and notifications e mail_reports sh emails the reports generated by site report pl to the list of ad dresses specified in the file BROHOME etc bro cfg These scripts can also all be run by hand at any time Be sure your BROHOME environment variable is set first As Bro log files can get large quickly it is important to ensure that the Bro disk does not fill up Bro includes some simple scripts to help manage disk space Most sites will want to customize these for their own requirements and integra
35. ccess and record connection events hot defines certain forms of sensitive access frag process TCP fragments Chapter 7 Customizing Bro print resources signatures scan trw http http request http reply ftp portmapper smtp tftp worm software blaster synflood stepping reduce memory the signature policy engine 36 on exit print resource usage information useful for tuning generic scan detection mechanism additional more sensitive scan detection general http analyzer low level of detail detailed analysis of http requests detailed analysis of http replys FTP analysis record and analyze RPC portmapper requests record and analyze email traffic identify and log TFTP sessions flag HTTP based worm sources such as Code Red track software versions required for some signature matching looks for blaster worm looks for synflood attacks used to detect when someone logs into your site from an ex ternal net and then soon logs into another site sets shorter timeouts for saving state thus saving memory If your Bro is using lt 50 of you RAM try not loading this These are not loaded by default Include if site has ability to drop Detects stepping stones where both incoming and outgoing con Policy Description drop hostile remotes icmp icmp analysis dns DNS analysis ident ident program analyzer gnutella looks for hosts running Gnutella ssl ssl analyzer ssh stepping nections are ssh
36. ding malformed connections attacker s attempts to confuse or evade being detected malfunctioning hardware or misconfigured systems or network devices such as routers Some weird events could be the result of an attack others are just anomalies The better you know your own systems and networks the more likely you will be to correctly determine whether or not weird events compromise an attack Weird events are divided into three categories 1 Weird connections that are not formed in accordance with protocol conventions such as the way the tcp protocol should work Chapter 5 Bro Output 17 1 Weird flows in which data is being sent between two systems but no specific con nection between them can be identified and 1 Weird network behavior that cannot be associated with any particular system The following entry shows a weird connection in which packets are being sent between systems in what appears to be an ongoing ftp session but Bro has not identified any initial connection attempt i e there is an ack above a hole Nov 16 06 30 58 WeirdActivity window 50406 gt klecker debian org ftp ack above a hole The next entry below shows another weird traffic pattern in which eqvaad vipl doubleclick net has sent a flood of FIN packets packets that tell the other system in a connection to terminate the connection to bcig 8 within the network that Bro protects Nov 16 06 32 09 WeirdActivity bcig 8 2044 gt eqvaadvip1 doubleclick net htt
37. do this is to take the sum of the source and destination IPs and monitor even combinations on one host and odd combinations on a second host For example redef restrict filters capture even src dest pairs only ip 12 4 ip 16 4 amp Chapter 10 Bulk Traces and Off line Analysis 48 10 Bulk Traces and Off line Analysis NOTE This chapter still a very rough draft and incomplete Bro is most effective when used in conjunction with bulk traces from your site Capturing bulk traces just involves using tcpdump to capture all traffic entering and leaving your site Bulk traces can be very valuable for forensic analysis of all traffic in and out of a com promised host It is also needed to run some particularly CPU intensive policy analyzers that can not be done in real time as described in the Off line Analysis section below Depending on your traffic load you might be able to bulk capture on the Bro host directly but in general we recommend using a separate packet capture host for this Unless you want to buy a huge amount of disk you ll probably only be able to save a few days worth of traffic 10 1 Bulk Traces The Bro distribution includes a couple scripts to make bulk capture easier These are spot trace called by start capture all script Start capture all captures all packets This script looks for an existing instance of the spot trace program and if it finds one creates a new capture file name with an increment
38. e file bro policy http bro Alarm HTTP_SensitiveURI 11 13 11 36 05 80 143 378 186 gt 128 333 181 191 1560 tcp gt 80 tcp session 44672 payload GET http cn edit vip cnb yahoo com config login redir _from PROFILES Alarm HTTP_SensitiveURI 11 13 11 53 54 80 143 378 186 gt 128 333 181 191 2434 tcp gt 80 tcp session 47386 payload GET http 110 login scd yahoo com config login redir_f rom PROFILES amp annotation n the connections shown below all connections are from the remote host to the local host with no successful connections back Also the payload above is seeking yahoo com Hence the likelihood is that this is not an attack Chapter 5 Bro Output Connections only first 25 after alarm are listed time byte date time duration transfer 11 13 11 36 05 1 11 13 11 41 51 0 109227 843209 gt 562365 gt 694131 gt 685181 gt 054925 gt 579652 gt 046188 gt 731771 gt 994114 gt 122448 2 042112 remote port C local port byte transfer protocol http http http http http http http http http http http http http http http http http http http http http http http http http annotation The scans show below are considered successful Four interest ing scans shown below are the ones originating from the 124 333 and 132 2577 domains since they are local domains These should be investigated The at tac
39. e these values you can rerun bro_config at any time Indicates that the script finished successfully For site monitoring very high traffic rates on Gigabit Ethernet there is some additional system tuning that should be done See the Chapter 9 Performance Tuning page 46 section for more details To reconfigure Bro run BRHOME scripts bro_config This will update your usr local bro etc bro cfg file You can also edit this file using your favorite editor if you prefer For other site customizations you can edit the file BROHOME site brohost bro For example to tell bro to not look at traffic for host 198 162 44 66 add redef restrict_filters ignore host 198 162 44 66 not host 198 162 44 66 Fs More details are available in the section on Chapter 7 Customizing Bro page 35 3 4 OS Configuration This section contains information on critical OS tuning items More detailed tuning infor mation can be found in the section on Chapter 9 Performance Tuning page 46 FreeBSD Configuration The standard FreeBSD kernel imposes a per process limit of 512 MB of memory This is not enough for most Bro installations To check your current limit type limits H Chapter 3 Installation and Configuration 10 Unfortunately the only way to increase this limit in FreeBSD 4 x is to reconfigure and rebuild the kernel In FreeBSD 5 x it is much easier Just increase kern maxdsiz in poot defaults loader conf and rebo
40. ecause they often gets scanned by legitimate or at least common services The default list can be found in the brolite bro file If you want enable ICMP scan detection set these redef ICMP detect scans T redef ICMP scan threshold 100 Chapter 7 Customizing Bro 44 7 8 Other Customizations There are a number of things you may wish to customize hot_ids The policy file hot ids bro contains a number of constants that you might want to customize by redef ing them in your brohost bro policy file These are all used to generate FTP and login alarms SensitiveConnection Notice for suspicious users The user ID s that are in hot_ids and not in always_hot_ids are only hot upon successful login For details see the Bro Reference Manual constant Defaults forbidden_ids uucp daemon rewt nuucp EZsetup OutOfBox A4Dgifts ezsetup outofbox Adgifts sgiweb r00t ruut bomb back door bionic warhead check mate check mate check made themage darkmage yOuar3ownd netfrack netphrack always hot ids Ip demos retro milk moof own gdm anacnd forbidden ids hot ids root system smtp sysadm diag sys diag sundiag sync tutor tour oper ator sys toor issadmin msql sysop sysoper always hot ids Input Output Strings The policy files login bro and ftp bro both contain a list of input and output s
41. ed filename and continues capturing data Bulk capture files can get very large so typically you run this as a cron job every 1 2 hours bro bulk compress sh compress and or delete old bulk trace files Run as a cron job Since the bulk trace files can be huge you often will want to run tcpdump on the raw trace with a filter to extract the packets of interest For example tcpdump r bulkXXX trace w goodstuff trace host w x y z If you know that that packets you want are bounded by a time interval say it occurred 1 17PM 1 18PM then you can speed this up a great deal using tcpslice For example tcpslice 13h15m 5m bulkXXX trace tcpdump r w goodstuff trace host w x y z It is recommend to use a somewhat broader time interval for tcpslice such as in the above example than when Bro reported the activity occurred so you can catch additional related packets cheaply 10 2 Off line Analysis There are some policy modules that are meant to be run as off line analysis on bulk trace files These include backdoor bro looks for standard services running on non standard ports These ser vices include ssh http ftp telnet and rlogin To run Bro on a tcpdump file do something like this set up the Bro environment sh or bash usr local bro etc bro cfg usr local bro bin bro r dumpfile backdoor bro To use Bro to extract the contents of a trace file do Chapter 10 Bulk Traces and Off line Analysis 49 bro r trac
42. efile contents which will load policy contents bro It stores the contents of each connection in two files contents H1 P1 H2 P2 and contents H2 P2 H1 P1 where H1 P1 is the host port of the originator and H2 P2 the same for the responder You can extract just the connections of interest using for example bro f host 1 2 3 4 r tracefile contents Appendix A Bro Directory and Files 50 Appendix A Bro Directory and Files Figure A 1 The Bro Directory Structure A 1 The bro bin Directory The bin directory is the storage area for executable binary files used by Bro adtrace adtrace retrieves MAC and IP address information from tcpdump trace files usage adtrace lt trace file gt bro This program is the primary Bro executable Full use of the bro command is documented in the technical manual Appendix A Bro Directory and Files 51 cf A program that converts UNIX epoch time into a conventional date Most of the raw Bro logs record UNIX epoch time as the timestamp for their records Piping the file through cf will convert the time Full use of cf is documented in the technical manual rst A program that Bro calls to form and send a reset packet which will tear down a tcp connection The use of rst is documented in the Technical Manual and in chapter of the User Manual A 2 The bro etc Directory Configuration and other ancillary files are stored in the etc directory These files are usually changed by s
43. ess gt A password must be given to unsubscribe or change your options Once subscribed to the list you ll be reminded of your password periodically Chapter 1 Overview of Bro The digest option may be either nodigest or digest no quotes If you wish to subscribe an address other than the address you use to send this request from you may specify address lt email address gt no brackets around the email address no quotes e Website The official Bro website is located at http www bro ids org It con tains all of the above documentation and more Chapter 2 Requirements 5 2 Requirements 2 1 Network Tap Bro requires a network tap to give it access to live network traffic The tap needs to be full speed for the link being monitored and must provide copies of both directions of the link or you need to two taps one in each direction Normally the network tap for Bro should be placed behind an external firewall and on the DMZ the portion of the network under the control of the organization but outside of the internal firewall as shown in the figure below Some organizations might prefer to install the network tap outside the firewall in order to detect all scans or attacks Placing Bro outside the firewall will allow the organization to better understand attacks but will produce a more notifications and alarms Another option is to place Bro inside the internal firewall allowing it to detect internal hosts with
44. et that attempts to set up a session and all subsequent packets that take part in the session Initial packets that fail to set up a session are also recorded as connections and are tagged with a failure state that designates the reason for failure Each entry contains the following data describing the connection date time the duration of the connection the local and remote ip addresses and ports bytes transferred in each direction the transport protocol udp tcp the final state of the connection and other information describing the connection This file is often used in forensic analysis to determine network activity by a suspect host beyond the immediate alarm ftp All transactions involving the well known ftp control port 21 are recorded into this file Each entry is marked by an arbitrary session number allowing full ftp control sessions to be reconstructed Each entry contains the date time a session number and ftp connection information or the specific ftp commands transferred This file is often used to examine details of suspect ftp sessions http All transaction involving the well known http ports 80 8000 8080 are recorded into this file Each entry is marked by an arbitrary session number allowing the full http session to reconstructed Each entry contains the date time a session number and http connection information or the specific http commands transferred This file is often used to examine details of suspect web se
45. evel signature of a HTTP attack only looks at the attack packet where the Bro contextual signature also looks for the HTTP reply and only generates an alarm if the attack was successful In this section we explain how to customize signatures for your site and how to im port new signatures from Snort and bro ids org More information on the details of Bro signatures are in the signature section of the reference manual The following files are used to control and customize Bro signatures e BROHOME site signatures sig Bro version of snort signatures e BROHOME policy sig addendum sig Bro supplied signatures e BROHOME policy sig action bro policy file to control signature notification type Files in BROHOME policy contain the default Bro signatures and should not be edited Files in BROHOME site contain files you will use to customize signatures for your site New signatures that you write go here too All files ending in sig in this directory will be loaded into the signature engine In fact all sig files in any directory in BROPATH set in BROHOME etc bro cfg will be loaded 7 6 1 Turning Signatures ON OFF Signature matching is off by default To use a small set of known high quality signatures add the following to your site policy file load brolite sigs To use the full set of converted snort signatures add both of these lines load brolite sigs redef signature_files signatures If signatures are turned on then you
46. files For more information about the policy files see section Policy Signature support files Appendix A Bro Directory and Files 54 sig addendum sig This file contains small support utilities that are used in the implementation of Bro signa tures sig functions bro To be completed sig action bro To be completed Policy files e active bro alarm bro e analy bro e anon bro e backdoor bro e blaster bro e bro bif bro e bro init e brolite bro e capture events bro e checkpoint bro e common rw bif bro e conn id bro e conn bro e const bif bro e contents bro e cpu adapt bro e demux bro e dns info bro e dns lookup bro e dns bro e drop adapt bro e event bif bro e finger rw bif bro e finger bro e flag irc bro e flag warez bro e frag bro e ftp anonymizer bro Appendix A Bro Directory and Files ftp cmd arg bro ftp reply pattern bro ftp rw bif bro ftp safe words bro ftp bro gnutella bro hand over bro hot ids bro hot bro http abstract bro http body bro http entity bro http event bro http header bro http reply bro http request bro http rewriter bro http rw bif bro http bro icmp bro ident rewriter bro ident rw bif bro ident bro inactivity bro interconn bro listen clear bro listen ssl bro load level bro login bro mime bro mt bro netstats bro notice bro notice bro old ntp bro pcap bro pkt profile bro port name bro portmapper bro 55 Appendix A Bro Directory and
47. filters http request tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000 URIs that should not be considered sensitive if accessed remotely i e by a local client const skip_remote_sensitive_URIs Mcgi binV phflphpN cgiltest cgi amp redef const sensitive_post_URIs wwwroot WWWROOT amp redef Unfortunately there isn t any way of knowing exactly which one of these rules triggered the HTTP_SensitiveURL alarm As will be seen in the next section the triggering payload must be compared against this entire section 6 4 Understand the Intent of the Alarm s While understanding the technical signature or policy code that triggered the alarm it is also useful to understand the reason the trigger was built e What attack or malicious behavior is the alarm trying to illuminate e What is the normal method of attack manual automated expert novice e How long has the particular attack existed e How often is it seen How often is it actually used by attackers All of these things and any other information that can be gathered will help in differen tiating attacks from legitimate behavior Although this process may seem tedious and time consuming in the beginning the Bro analyst will quickly build up a substantial knowledge of known attacks Even if the incident in question turns out to be benign the effort to learn about the attack almost always proves useful in future investigations 6 4
48. g import mykey gpg Then you must to make the list of keys trusted so that they can be used to encrypt the email reports To do this you must edit the key to add ultimate trust to the key gpg edit key myemail address com pub 1024D 4A872E40 created 2001 02 05 expires never trust f sub 3072g B72DD7FE created 2001 02 05 expires never 1 Some R User lt myemaill address com gt Command gt trust pub 1024D 4A872E40 created 2001 02 05 expires never trust f sub 3072g B72DD7FE created 2001 02 05 expires never 1 Some R User lt myemail address com gt Chapter 3 Installation and Configuration 11 Please decide how far you trust this user to correctly verify other users keys by looking at passports checking fingerprints from different sources Don t know I do NOT trust I trust marginally I trust fully I trust ultimately back to the main menu BoRPWNE ll Your decision 5 Do you really want to set this key to ultimate trust yes pub 1024D 4A872E40 created 2001 02 05 expires never trust u u sub 3072g B72DD7FE created 2001 02 05 expires never 1 Some R User lt myemail address com gt Command quit For more information on GPG see http www gnupg org 3 6 Generating Reports on a Separate Host Warning this section assumes a reasonably high level of Unix system administration skills If your site has lots of traffic lots of connections or if Bro is using on average m
49. h the important attack ac tivity These supplied policy scripts will run out of the box and do not require knowledge of the Bro language or policy script mechanics e Powerful Signature Matching Facility Bro policies incorporate a signature matching facility that looks for spe cific traffic content For Bro these signatures are expressed as regular expressions rather than fixed strings Bro adds a great deal of power to its signature matching capability because of its rich language This allows Bro to not only examine the network content but to understand the con text of the signature greatly reducing the number of false positives Bro Chapter 1 Overview of Bro comes with a set of high value signatures selected for their high detection and low false positive characteristics as well as policy scripts that perform more detailed analysis e Network Traffic Analysis Bro not only looks for signatures but also analyzes network protocols connections transactions data volumes and many other network char acteristics It has powerful facilities for storing information about past activity and incorporating it into analyses of new activity e Detection Followed by Action Bro policy scripts can generate output files recording the activity seen on the network including normal non attack activity They can also send alarms to event logs including the operating system syslog facility In addition scripts can execute programs which c
50. has read write execute access to files in the BROHOME directory Appendix A Bro Directory and Files 53 host grep Greps a Bro connection summary log on stdin for two given hostnames Usage host grep a hostname hostname lt connection_log If a is specified then we only want lines with all of the listed hosts Restrictions e Must have BROHOME scripts included in the PATH environment vari able e Will only work with hostnames ip addresses are not accepted e Uses host to addrs and ip grep scripts host to addrs Finds all ip addresses associated with a given hostname Usage host to addrs hostname Restrictions e Must have BROHOME scripts included in the PATH environment vari able e Will only work with hostnames IP addresses are not accepted ip grep Returns an exact grep pattern for matching the IP addresses of the given hosts Usage ip grep hostname hostname Restrictions e Must have BROHOME scripts included in the PATH environment vari able e Will only work with hostnames ip addresses are not accepted e Uses host to addrs script site report pl This script produces the daily consolidated site report By default it is run daily via the cron job submitted by the bro user via files in var cron tabs The bro scripts pm Directory This directory contains perl modules to support the perl scripts in the scripts directory A 5 The bro policy Directory This directory contains all standard Bro policy
51. his in user bro s ssh config file also on the Bro capture host Host recvhost brohost foo com IdentityFile ssh batch key On the frontend host where the log files will be processed add batch pub to the autho rized_keys file cat batch key pub gt gt authorized_keys Then create a cron entry on the Bro capture host 1 1 nice n 20 rsync e ssh azv usr local bro logs host home bro Chapter 4 Running Bro 13 4 Running Bro 4 1 Starting Bro Daemon Bro is automatically started at boot time via the bro rc script located in BROHOME etc and usr local etc rc d on FreeBSD or etc init d on Linux To run this script by hand type bro rc start or bro rc checkpoint or bro rc stop Use checkpoint to restart a running Bro loading a new policy file Note that under Linux Bro must be run as the root user Linux must have root privilages to capture packets 4 2 Running Bro from the command line If you use bash for your shell you do something like this to start Bro by hand cd usr local bro etc bro cfg bro i ethi i eth2 myhost mysite org bro The etc bro cfg should set your BROHOME and BROPATH correctly to find all of the needed the files Files are loaded is the following order Bro is invoked with a start file in the above myhost mysite org bro In that file which is in BROHOME site there should be a couple of lines like this at the top uua D LEE myhost mysite org
52. ince some payload lines can get extremely long the payload lines in the report and notice and alarm logs has been truncated to 250 characters Sometimes the actual trigger payload is beyond the 250 character cut off In this case the protocol sessions log file must be examined See Section 6 5 Examine HTTP FTP or SMTP Sessions page 32 Chapter 6 Analysis of Incidents and Alarms 30 6 3 2 Embedded Bro Rule For alarms triggered by an embedded Bro rule the signature code block will not appear and in many cases neither will the payload There is currently no direct way to find the specific Bro rule that triggered the alarm other than to search the Bro policy files Following is a process for conducting that search The example of the HTTP_SensitiveURL is used In actual practice this rule appears quite often in the reports Read about the specific analyzer In the Bro Technical Reference Manual there are sections for each type of analyzer In the case of our example the HTTP analyzer is the obvious choice In the section on the HTTP analyzer it is noted that the variables sensitive URIs and sensitive_post_URIs are responsible for flagging sensitive URIs Find the policy file that defines these variables Using egrep to search for sensitive URIs and or sensitive_post_URIs yields the following gt egrep sensitive_URIs sensitive_post_URIs http http request bro const sensitive_URIs http request bro URIs that match sensitive_UR
53. ing Bro from the command line 13 S s2b addendum sigs sig 000002000 57 s2b functions bro 02 eee eee 57 s2b sigaction bro 0 eee 57 S2D S18 ranerne pena ede dra Pied Won Pa tas 57 Scan Thresholds 0 00 esses ee eee eee 44 Scan defimibioTi a cius vn dew Rer ERR 18 SCADS iced senate ad abe Ara Rag Rd reda 18 scans successful 0 0 cee eee eee eee ee 18 signature sCOreS s si vice sa ak n er ds 51 Signat l6eS reb iX RPREWRPRERRIOGUG eb bbs 41 signatures log oic y RR Ya recs 57 site report pl script 00 eee eee eee 52 SMG MOG aad MT 57 61 DIOE heed sec tip epee asad eee Rees ode edo es xa 3 software 08 sisi es uu va ddaaes e Ragga 57 Software requirements 0 0 0 eee eae 5 start time file ions ta pace eda Saba Pherae bee 52 starting Bro daemon 00 13 systemi statistiCS usos idi eerte rete ai 18 T Terminating a Connection 45 traffic statistics Lucre pie kem er adaini itis 18 Tuning Scan Detection 05 43 Turning Signatures ON OFF 42 U Updating Router ACL 000 00 45 V VERSION file iss soehreere hands ee dba d ais 51 weird lop ise es be Aes Ree eee PRES RY 57 WOoBm log i pret iaad e ECURPQUG C Hs okies 57 Writing New Policy 05 41
54. ing and victim host This tabulation of connections can be used to see if connections were accepted by the victim host the amount of bytes transferred in both directions the timing between the connections and the ports involved Scans This is a summary of the ip addresses involved in successful scans the type of scans and the attacks used by the scanners Connection Log Summary This section gives a overview of the most prominent connections that have occurred during the report period as shown by way of five tables Site wide connection statistics The number of successful and unsuccessful con nections and the ratio between the two Top 20 Sources Hosts that have initiated the most connections Top 20 Destinations Hosts that have accepted connections Top 20 Local E mail Servers The most active E mail servers Top 20 Services The services as determined by port number that have been involved in connections Byte Transfer Pairs This section gives a summary of the ip address address pairs that have transferred the most bytes during the report period 5 6 2 Annotated Example Report Site Report for ORG_NAME from 2004 11 03 00 00 00 to 2004 11 04 00 00 00 generated on Sat Nov 13 12 02 48 2004 annotation ORG_NAME will normally be replaced with Site name for reports that was given during the installation and configuration process Chapter 5 Bro Output 21 annotation Since this report is simple and only includes
55. k against 182 257 85 96 might also be investigated further With each report a review of the attacks will give an understanding of what types of scans are becoming popular Scanning IP 132 257 70 234 132 257 52 64 63 251 3 51 124 333 181 191 Victim IP multiple multiple multiple multiple Attack bro 1344 5 bro 1367 5 bro 2570 6 bro 1599 7 Chapter 5 Bro Output 25 210 313 36 53 132 257 85 96 1000 port scan 211 300 24 151 132 257 85 96 1000 port scan 124 333 95 0 62 214 34 30 250 port scan 172 278 206 135 multiple 3128 tcp annotation The connection log summary gives a general idea of what hosts are most active The analyst may want to become familiar with any new hosts that appear on the next three lists and services that appear or radically change position on the fourth list Site wide connection statistics Successful 4498748 Unsuccessful 35941140 Ratio 1 7 989 Top 20 Sources Host IP Bytes Conn Count nsi org name org 124 333 34 186 3 7 G 683948 ns2 org_name org 132 257 64 2 165 M 231245 lemonade org_name org 124 333 181 191 88 M 217781 nsx org_name org 132 257 64 3 371 M 200935 cinnamon mining com 207 5 380 138 4 5M 103011 node2 lbnl nodes planet org 198 328 56 12 106 M 75725 nodei lbnl nodes planet org 198 328 56 11 85 M 73719 microscope dhcp org_name org 132 257 19 79 61 M 54024 169 299 224 1 2 3 M 40348 uhuru org name org 132 257 10 97 423 M 39847 132 257 77 246 13 M 29496 googledev org name
56. mance chapter of the Bro User Guide for more informa tion 1 GHz CPU for 100 Mbps monitoring with average packet rate 5 000 packets second 2 GHz CPU for 1 Gbps monitoring with 10 000 packets second 3 GHz CPU for 1 Gbps monitoring with 20 000 packets second 4 GHz CPU for 1 Gbps monitoring with lt 50 000 packets second Recommended FreeBSD http www freebsd org Bro works with many Unix systems including Linux and Solaris but has been primarily tuned for FreeBSD We currently recommend using FreeBSD version 4 10 for Bro If your site has a large number of packets or connections per second you should look at the section on Section 9 1 Hardware and OS Tuning page 46 FreeBSD 5 x should work but is not quite as fast as 4 10 For sites with very high traffic loads and capturing traffic on two interfaces contact us for a FreeBSD 4 x kernel patch to do BPF bonding which allows merging the two directions of a network link into a single interface as seen by Bro While Bro can instead merge the two interfaces at user level this costs some performance 512 MB suffices for small networks say 200 hosts connected via a 100 Mbps link For larger networks 1 GB RAM will be required with 2 3 GB is recommended 10 GB minimum 50 GB or more for log files recommended superuser to install Bro with Bro then running as user bro 3 interfaces are recommended 2 for packet capture 1 for each direction and 1 for host manage
57. ment Capture interfaces should be identical For some network taps both directions of the link are captured using the same interface and the separate host man agement interface while prudent is not required Perl version 5 6 or higher http www perl org for report generation libpcap version 0 7 2 or higher http www tcpdump org Note Some version of FreeBSD come with older versions of libp cap Bro recommends newer versions of these tools for perfor mance reasons Chapter 3 Installation and Configuration 7 3 Installation and Configuration 3 1 Download Download Bro from http www bro ids org You can unpack the distribution anywhere except into the directory you plan to install into To untar the file type tar xzf bro pub 0 9 current tar gz 3 2 Install You ll need to collect the following information before beginning the installation e localnets a list of local subnets for your network Bro needs to know which networks are internal and which are external e interface names the names of the capture interfaces in your host e g sk0 or enl Use ifconfig a to get the list of all network interfaces on your Bro host If you want to use Bro s periodic email report feature you ll also need e email list a list of email addresses to send the reports to e PGP keys if you want to encrypt all email reports the location of the GPG keyring of all recipients Bro is easy to install Log in as root and type
58. mputers 0005 33 6 6 3 Odd AGLI VIL sou 2 docebat dob iod aea o acd ERU M RR 34 6 7 Examine the Bulk Trace if Available 34 6 8 Contact and Question Appropriate People 34 Customizing DUO 6622454 aw Roe Ro CR GER 35 DNE UNIO MUI TIPP 35 G2 NOCES pae a a a a es Pe a 37 deo Notice AGHONG s heare 2b Euer A ia EE hae 39 7 4 Customizing Builtin Policy 00 eee eee eee 40 Gb Writing New Policy c sacucda edt RR ERR MR xd NR 41 GO SIgnabLurtesS cipere chee hi Sele bie EP EOICEEREE De PPS 41 7 6 1 Turning Signatures ON OFF Leste kekbenv sespeneckes 42 7 6 2 Add a New Signature isses px der Rr ea ear casas es 42 7 6 3 Editing Existing Signatures sees 43 7 6 4 Importing Snort Signatures 0 ee eee eee eee 43 7 6 5 Checking for new Signatures from bro ids org 43 7 7 Tuning Scan Detection 0 0 eee eee eee 43 7 8 Other Customizations 0c nne 44 Intrusion Prevention Using Bro 45 8 1 Terminating a Connection seeeeeeeee en 45 5 2 Updating Router AGL ume k dI ute ERR RR eh rd 45 Performance Tuning 2 22 ss n wn 46 9 1 Hardware and OS Tunings prosessini cece eee eee 46 9 2 Bro Policy Tuning cece ee cece eee eee eee 4T 10 Bulk Traces and Off line Analysis 48 LO Bulk Lr ces zone crei ine eee ee he Rn E LERPEAP EIS 48 10 2 Offline Analysis srsrecsrieseisecres restini ei kni unine ee
59. n Bro operational statistics and network informa tion The incidents section has details for each Bro alarm The scans section gives details about scans that Bro detected 5 6 1 Parts of a Report Header The header gives some basic information about the report Site name is determined by the Site name for reports that was given during the installation and configuration process Start time and interval of the report are also entered during the configuration process See Section 3 3 Bro Configuration page 8 Summary This section give a numeric summary of the events that have happened in the reporting period Incidents shows the number of incidents that are recorded in the report period An incident is any occurrence that is deemed worth investigating An incident is formed by the triggering of one or more alarms Scanning Hosts are the number of specific IP addresses that have been detected scanning either into or out from the site A scan can be a e port scan scanning several ports of a single host e network scan scanning several hosts for open ports e signature scan attacking multiple hosts with a specific vulner ability attack signature Chapter 5 Bro Output e targeted attack launching multiple signatures against a single host e password scan attempts to guess passwords on telnet termi nals A successful scan is when e the bytes sent by a single probe of a scan against a host or several host
60. nce on each report at the top of the Incidents section Incident number Each incident listed in the Bro report is assigned a unique sequential identification number prefixed with the organization identifier This number is unique for all incidents not just to the daily reports Remote and Local hosts The Remote and Local hosts are identified by both ip address and hostname The local hosts are those that are in local subnets as determined during Bro configuration It is important to note that remote Chapter 5 Bro Output 20 host does not infer attack host Attacks can come from local hosts indicating an inside hacker or a compromised host Alarms The network event s that Bro detects and identifies as possible at tacks There are two general types of alarms those triggered by signatures and those triggered by Bro rules See Section 6 3 Understand What Triggered the Alarm s page 29 for more information about the differences All alarms will include the date time of the attack the direction of the attack and the ports involved A SensitiveSignature will include the signature code and payload to help evaluate what triggered the alarm Embedded Bro rules will include the payload and a session number which can be used for further investigation in the logs See Section 6 5 Examine HTTP FTP or SMTP Sessions page 32 Connections A list of the first 25 connections after the first alarm is triggered that are attempted between the attack
61. nd ports and a short description of the weird activity This file is useful for detecting odd Appendix A Bro Directory and Files 59 behavior that might normally fly under the radar and also for getting a general sense of the amount of garbage that is on the network worm Bro s worm bro policy detects patterns generated by specific worms and records the instance in this file Currently the worms detected are code red1 code red2 nimda and slammer Each entry in the file contains the date time the worm detected and the source ip address of the worm This file is useful for spotting hosts that have been infected with worms Other files in the logs directory are State To be completed active_log To be completed A 8 The bro archive Directory The archive directory is initially empty The script bro script bro_log_compress sh popu lates the archive directory with compressed log files A 9 Other Files Appendix A Index Index active logu 65 deuce ine dyad reife raus aes 57 Add a New Signature 00 eee 42 adtrace executible 0 0 0 0 0 cee nunnana 50 AAT sickens a enisi itk eine ADS Oe de oil dae ok 18 alarm log i exe a mitoak RE EG ERA 57 alert SCTE recer de Dese ker ule wi ue ol autorestart file llle lees 52 B bro executible cicisa o v UE ep PEE Dea 50 Bro Policy Tuning s 47 bro config Scfipt 2 seen ec ret e ns 52 bro logchk pl script eceieiriirideret ori rannis 52 DP
62. nored scan A request to drop connectivity has been ig nored scan detected but one of these flags is true can_drop_connectivity or never_shut_down or never drop nets AddressDropped scan Connectivity w given address has been dropped AddressScan scan The source has scanned a number of addrs BackscatterSeen scan Apparent flooding backscatter seen from source ClearToEncrypted_ stepping A stepping stone was seen in which the first ss part of the chain is a clear text connection but the second part is encrypted This of ten means that a password or passphrase has been exposed in the clear and may also mean that the user has an incomplete no tion that their connection is protected from eavesdropping ContentGap weird Data has sequence hole perhaps due to filtering CountSignature signatures Signature has triggered multiple times for a destination DNS DNS_ DNS Some sort of change WRT previous Bro MappingChanged lookup DNS DNS PTR Scan dns Summary of a set of PTR lookups au tomatically generated once day when dns policy is loaded DroppedPackets netstats Number of packets dropped as reported by the packet filter FTP FTP BadPort ftp Bad format in PORT PASV FTP FTP_ ftp Very long filename seen ExcessiveFilename FTP FTP PrivPort ftp Privileged port used in PORT PASV FTP FTP Sensitive ftp Sensitive connection as defined in hot FTP FTP_ ftp FTP data transfer from unexpected src UnexpectedConn
63. ns The general format of all three files is date time GP sessionnumber GP Message where date time is the time in UNIX epoch time The cf utility can be used to convert this time to readable time Reference Tech Manual sessionnumber is the number assigned to session All subsequent records in the file that are part of the session will retain this same session number Session numbers are prefixed with the sign message is the message that Bro policy has formed to describe the session event Typically the message will be e the start of the session including the two ip addresses involved e an anomolous event e the full protocol command line that was sent e short statistics concerning the transaction e g bytes sent In an alarm where the session number is given typically in a SensitiveSignature alarm a search on the session number in the appropriate file s will show the full sessons See Section A 7 The bro logs Directory page 57 Example Consider the following alarm Alarm HTTP SensitiveURI 11 22 12 52 42 128 333 48 179 80 143 378 186 3091 tcp gt 80 tcp session 473280 payload GETM NR rdonlyres eirownz4tqwlseoggqm2ahjb5cqsdbedlaxyye TkvdzTrnh6u402v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb smallshoulders gif 200 OK 1134 From the payload shown it is unclear what triggered the alarm To investigate further the entire session can be viewed Example Chapter 6 Analysis of Incidents
64. ns 48 ii Appendix A Bro Directory and Files 50 Ad Th bro bin DIBDOEY ioisoseaice cone to TE pa ETE ERE dd qui 50 AD The bro ete Directory iiie deskesosu te ure ki ewe decida 51 A 3 The bro var Directory esa nce nee hava poa ed qe on bent Us 52 AA The bro scripts Directory 12 sedes eges kae ttbu Rea ens 52 A 5 The bro policy Directory uus oe re Rte e e 53 A 6 The bro site Directory 25 5 vede eee bed Rie e CER chapels 57 A 7 The bro logs Directory cose ant Ier EUER cn ed seane cans 57 AS The bro archive Directory ote cr coa err bEr rebns dnd 59 AUS Other Biles c eiren E E 59 ndek eosrecern wage sew eee EE ERE EN E sx 60 iii Bro User Manual Chapter 1 Overview of Bro 2 1 Overview of Bro 1 1 What is Bro Bro is a Unix based Network Intrusion Detection System IDS Bro monitors network traffic and detects intrusion attempts based on the traffic characteristics and content Bro detects intrusions by passing network traffic through rules describing events that are deemed troublesome These rules might describe activities e g certain hosts connecting to certain services what activities are worth alarming e g attempts to a given number of different hosts constitutes a scan or signatures describing known attacks or access to known vulnerabilities If Bro detects something of interest it can be instructed to either issue a log entry or initiate the execution of an operating system command such as sending email o
65. om the HTTP FTP or SMTP Logs e Examine the Connection Logs for Breakin Indicators e Examine for Connections to Other Computers e Examine Other Bro Logs for Odd Activity e Examine the Bulk Trace if Available e Contact and Question Appropriate People 6 3 Understand What Triggered the Alarm s To understand what triggered the alarm compare the signature or rule code with payload The network traffic that matches the signature rule or policy is known as the payload The payload that triggers the alarm is usually included in the Bro s incident report Often it is obvious that the payload is not malicious Example The signature may trigger on the word shadow notifying that some one may be attempting to download the shadow password file However the payload may reveal that the actual download is something like theshadow jpg which is obliviously innocuous The two kinds of alarms converted signatures and embedded rules trigger alarms differ ently so they must be treated separately The following sections describe how to investigate the signature or rule code and payload of each 6 3 1 Converted Snort Signatures These signatures are recognizable by the inclusion of a bro number and the identification SensitiveSignature A signature code and payload block should be present in the incident report To understand what triggered the alarm compare the payload to the signature code and find the defined signature within the payload S
66. ome other things to try FreeBSD First check that your BPF buffer size is big enough The Bro installation script should set this correctly for you but to test this do sysctl debug bpf_bufsize sysctl debug bpf_maxbufsize They should both be at least 4 MB Next if your Bro host is capturing packets on 2 interfaces and you are running FreeBSD we provide a patched kernel that bonds both interfaces into a single interface at the BPF level This reduces CPU load considerably This patched kernel also increases the default per process memory limits This kernel source is available for download at http www bro ids org download FreeBSD 4 10 bro tgz To install this kernel and the BPF bonding utilites type tar xfz fbsd 4 10 bond tgz cd FreeBSD 4 10 RELEASE sys i386 conf usr sbin config BRO cd compile BRO make depend make make install cd FreeBSD 4 10 RELEASE 1local sbin bpfbond make make install reboot Chapter 9 Performance Tuning 47 For more instructions on rebuilding the kernel see http www freebsd org doc en_ US 1S08859 1 books handbook kernelconfig html Linux Check that the net core rmem max buffer is big enough The Bro installation script should set this correctly for you but to test this do sysctl net core rmem_max It should be at least 4 MB For heavy traffic load the Linux version of libpcap has a hard time keeping up There are a couple a options available to improve Linux pc
67. ong curiosity is an analyst s best friend and Bro is the vehicle for allowing him or her to follow that curiosity 6 1 Two Types of Triggers There are two ways that alarms can be triggered One is when network traffic matches a signatures that has been converted to work with Bro The other way is by matching Bro rules that are embedded in the Bro analyzers 6 1 1 Converted Signatures In the Bro report converted signatures are identified by the alarm type SensitiveSignature and the existence of a bro identification number Each signature is distinct targeting one specific set of network events for each alarm Currently the majority of converted signatures are developed from Snort C signatures using the snort2bro utility In addition enhancing have been made by utilizing features in the Bro policy language that are absent in Snort C Most Bro signatures are found in the BROHOME site signatures sig however they can exist in other sig files 6 1 2 Embedded Bro Rule Bro rules are typically embedded in the Bro analyzers or other bro policy files Several trigger conditions are usually lumped into a grouping of Bro rules within a bro file making it difficult to separate the exact condition that triggered the alarm Hence alarms triggered by an embedded Bro rule will not have a specific bro identification number nor will the signature code block appear in the report Possible types of embedded bro rule al
68. ore than around 4096 of your CPU you ll want to use a second host for generating reports To do this on the Bro host run bro_config and say N to all report generation ques tions Then install Bro on the second host using the following configure make make install reports Then follow the instructions in Section 3 3 Bro Configuration page 8 for setting up report generation You ll also need to set up a method to copy files from the Bro host to the report generation host One way to do this is using rsync and the Bro script push logs sh does this for you For example you can set up a cron job like this on the Bro host 1 1 push logs sh usr local bro etc bro cfg host home bro gt gt tmp bro push 1lo To make sure your rsync command has time to transfer all log files before your report generation script is run the push 1ogs sh script is designed to be used with the scripts frontend site report sh and frontend mail report sh on the frontend host These frontend scripts wait for a file with a particular name to exist before running It is also important to use the nice command to help ensure the network copy does not unduly divert processing away from Bro Chapter 3 Installation and Configuration 12 You may want to rsync the log files over a secure ssh connection To do this you need to first generate a ssh key pair on the Bro capture host with no passphrase ssh keygen t rsa C batch key f batch key Put t
69. org 124 333 41 57 13 M 24930 64 46 248 43 60 M 19785 16 141 sfo4 dsl contactor net 66 292 16 141 6 2 M 19048 rock es net 198 128 2 83 2 8 G 18459 perry Geo college EDU 124 32 349 11 1 7 M 17326 google org name org 124 333 41 70 8 5 M 15508 egspd42212 search com 65 264 38 212 3 1M 15138 hmb 330 042 MSE college EDU 124 32 349 20 222 M 14865 irodan dhcp org name org 132 257 19 170 CUM 11873 Top 20 Destinations Host IP Bytes Conn Count nsx org name org 132 257 64 3 14 G 1571638 nsi org name org 124 333 34 186 1 6 G 264976 Chapter 5 Bro Output ns2 org_name lemonade org_name CS university g old servers engram CS university aulvs realthing nsi college rohan superc sportsmed starship ns2 yoho uhuru org name g3 NSDDD w4 org name E TOP SERVERS mantis org name postala org name vista org name calmail college Top 20 Local Email Senders Hostname mtal postala i postal2 ee math rod2 gigo mhi stm Top 20 Services Service Conn Count dns 3378522 http 902573 other 92913 smtp 35942 https 33848 ssh 25515 netbios ssn 11004 pop 3 5494 ftp data 4495 ldap 3549 org name 132 257 64 2 124 333 181 19 128 312 136 10 192 42 293 30 128 312 136 12 207 288 24 156 124 32 349 9 128 550 6 34 199 281 132 79 66 263 169 170 132 257 10 97 192 342 93 32 124 333 7 51 192 303 230 10 124 333 7 39 124 333 41 61 132 257 48 146 128 32 349 103 org org EDU net EDU com EDU go
70. ot For example kern maxdsiz 2G and look at the datasize setting which should be the same as your amount of RAM If this is not true see section Section 9 1 Hardware and OS Tuning page 46 for information on fixing this For FreeBSD 5 3 BPF devices are no longer created using MAKEDEV but rather are created on demand This is configured automatically by running make install brolite or you can figure it by hand by adding the following to etc rc local devfs ruleset 15 devfs rule add 15 path bpf mode 660 user bro Linux Configuration You may want increase these for a high traffic environment not done need to get recommended values for these proc sys net core rmem default IP Stack socket receive queue proc sys net core rmem max similar to rmem default proc sys net core netdev max backlog queue between driver and socket 3 5 Encrypted Reports Bro can use GPG http www gnupg org to encrypt the reports that it sends To have Bro encrypt your reports you must have said yes to the bro config question to encrypt your reports Then each email recipient much generate a public private key pair and their public key must be installed on the Bro machine in the home directory of the user running the Bro process To create a key pair gpg gen key To export the public key gpg armor output mykey gpg export myemail address com Then login to the machine running Bro and import the list of public keys gp
71. p FIN_storm Here s another one in this case a system with an IP address of 222 64 93 208 has sent a flood of packets that have both the SYN and the ACK flags set something that should normally happen only once in a TCP session nsx is the destination system Nov 16 06 30 58 WeirdActivity 222 64 93 208 1115 gt nsx dns repeated_SYN_with_ack Packets sent over networks are often broken up or fragmented for various reasons Fragmented packets are not necessarily a sign of an attack but large fragments can indicate suspicious activity such as attempts to cause denial of service In the following example Bro has identified a very large packet fragment sent by p508c7fc5 dip t dialin net to an internal system with an IP address of 131 243 3 162 Nov 16 06 30 50 WeirdActivity p508c7fc5 dip t dialin net gt 131 243 3 162 excessively large fragmentlg Sometimes attackers attempt to evade being detected by sending malformed packets to the system they are attacking The receiving system cannot process them so it informs the sending attacking system accordingly asking it to resend them The sending system may now send packets that constitute an attack Some intrusion detection systems but not Bro ignore what is resent because in theory it is unnecessary to reanalyze what has already been sent Bro detects this kind of retransmission inconsistency rermit inconsistency and reports it The following example shows that there has been retransmission
72. r creating a router entry to block an address Bro targets high speed Gbit second high volume intrusion detection By judiciously leveraging packet filtering techniques Bro is able to achieve the performance necessary to do so while running on commercially available PC hardware and thus can serve as a cost effective means of monitoring a site s Internet connection 1 2 Bro features and benefits e Network Based Bro is a network based IDS It collects filters and analyzes traffic that passes through a specific network location A single Bro monitor strategi cally placed at a key network junction can be used to monitor all incoming and outgoing traffic for the entire site Bro does not use or require instal lation of client software on each individual networked computer e Custom Scripting Language Bro policy scripts are programs written in the Bro language They contain the rules that describe what sorts of activities are deemed troublesome They analyze the network activity and initiate actions based on the anal ysis Although the Bro language takes some time and effort to learn once mastered the Bro user can write or modify Bro policies to detect and notify or alarm on virtually any type of network activity e Pre written Policy Scripts Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks while limiting the number of false positives i e alarms that confuse uninteresting activity wit
73. r protocol 07 29 12 43 31 566 b 4634 1 gt 1433 467 b tcp MSSQL 07 29 12 43 31 0 2318 2 lt 69 20 b udp tftp 07 29 12 43 32 265 7 4b 4638 lt 2318 3 0kb udp Chapter 5 Bro Output 07 29 12 48 56 4640 gt 2362 tcp 07 29 12 50 05 11 4kb 4639 lt 3333 8 6kb tcp 07 29 12 53 00 0 4684 gt 2362 tcp 07 29 12 53 07 4685 gt 2362 tcp 07 29 12 53 59 4689 gt 2362 tcp 07 29 12 54 14 6 1 0 4693 lt 2380 94 2kb tcp 07 29 12 54 21 5 50 b 4694 gt 2381 O tcp 07 29 12 54 23 of 4695 lt 2382 O tcp 07 29 12 54 25 5 51 b 4696 gt 2383 O tcp 07 29 12 54 27 5 61b 4697 gt 2384 O tcp 07 29 12 54 28 of 39 b 4698 2385 O tcp 07 29 12 54 31 5 41b 4699 gt 2386 O tcp 07 29 12 54 33 1 2 4 9 kb 4700 gt 2387 O tcp 07 29 12 54 35 12 8 195 0 kb 4701 lt 2388 0 tcp 07 29 12 54 53 2 4703 lt 2390 O tcp 07 29 12 54 54 5 37 b 4704 2391 O tcp 07 29 12 54 56 3 4 23b 4705 gt 2392 O tcp 07 29 12 55 04 21 4 308 7 kb 4706 gt 2393 O tcp 07 29 12 55 27 50 7 4707 gt 2394 tcp 07 29 12 59 23 A775 gt 1433 tcp 07 29 12 59 25 4774 gt 3333 tcp annotation The neszt Incident demonstrates alarms triggered by embedded rules rather than signatures Incident ORG_NAME 000004525 Remote Host 80 143 378 186 p508FB2BA dip t dialin net Local Host 128 333 181 191 lemonade 1b1 gov annotation Since these alarms are triggered in the HTTP protocol the actual trigger rules are found in th
74. ript is the basic analyzer used by Bro to determine what network events are alarm worthy A policy can also specify what actions to take and how to report activities as well as determine what activities to scrutinize Bro uses policies to determine what activities to classify as hot or questionable in intent These hot network sessions can then be flagged watched or responded to via other policies or applications determined to be necessary such as calling rst to reset a connection on the local side or to add an IP address block to a main router s ACL Access Control List The policy files use the Bro scripting language which is discussed in great detail in The Bro Reference Manual Policy files are loaded using an load command The semantics of load are load in this script if it hasn t already been loaded so there is no harm in loading something in multiple policy scripts The following policy scripts are included with Bro The first set are all on by default and the second group can be added by adding them to your site brohost bro policy file Bro Analyzers are described in detail in the Reference Manual These policy files are loaded by default site defines local and neighbor networks from static config alarm open logging file for alarm events tcp initialize BPF filter for SYN FIN RST TCP packets login rlogin telnet analyzer or to ensure they are disabled weird initialize generic mechanism for detecting unusual events conn a
75. s are more than three deviations away from the standard deviation of the rest of scan In essence where the bytes transferred on one connection is different than the rest of the scan other connections involved in the scan e a separate connection back to the attacker host is detected from the local network e the number of bytes sent back from the targeted victim host to the offender during a scan connection exceeds 20480 Signature Summary shows the total number of alarms triggered by signatures during the report period and the number of those that are unique These numbers do not include alarms triggered by embedded Bro rules See Section 6 3 Understand What Triggered the Alarm s page 29 Signature Distributions This is a list of all signatures that were triggered during the report period 19 NOTE This section does not include alarms triggered by embedded Bro rules See Sec tion 6 3 Understand What Triggered the Alarm s page 29 Count is the number of times the signature was seen Unique Sources is the number of unique ip addresses that used the specific signature as an attack Unique Dests is the number of unique ip addresses that were attacked by the particular signature Unique Pairs are the number of unique source dest ip address pairs where the source used the signature to attack the destination Incidents Legend This is the legend for reading the connections portions of the each incident It is shown o
76. ssions Appendix A Bro Directory and Files 58 info This file contains information concerning the operation of Bro during the time interval covered by the file The entries will consist of the Bro version number startup information and Bro runtime warnings and errors This file is helpful in troubleshooting Bro operational difficulties notice Network occurrences that are determined to be of nominal importance will be written into the notice file The determination is made by the Bro policy scripts Local site modifications can override default Bro alarms or create new ones that are site specific The notice files are similar to the alarm files but of lesser importance Each entry contains the date time a notice type a notice action the local and remote ip addresses and ports Optionally depending on the type of notice an entry might contain information about user filename method URL and other messages This file alerts to occurrences that are worth noting but do not warrant an alarm signatures This file contains information associated with specific signature matches These matches do not necessarily correspond to all alarms or notices only to those that are triggered by a signature Each entry contains the date time a description of the signature the local and remote ip addresses and ports the signature id number if available a description of the signature trigger a portion of the offending payload data a count of tha
77. t particular signature and a count of the number of involved hosts This file gives details that are helpful in evaluating if an event triggered by a signature match is a false positive smtp All transactions involving the well known smtp port 25 are recorded into this file Each en try is marked by an arbitrary session number allowing full smtp sessions to be reconstructed Each entry contains the date time a session number and smtp connection information or the specific smtp commands transferred This file is often used to examine details of suspect mail sessions software This file is a record of all unique host software pairs detected by Bro during the time interval covered by the file Each entry in the file contains the date time the ip address of the host and information about the software detected This file can be useful for cataloging network software However population of this file on a busy network often results in a huge number of entries Since the relative daily usefulness of the file usually does not warrant the disk space it consumes the software file is turned off by default It can be turned on by lt lt lt instructions gt gt gt weird Network events that are unusual or exceptional are recorded in this file A number of these events shouldn t or even can t happen according to accepted protocol definitions yet they do Each entry in the file contains the date time the local and remote ip addresses a
78. te them into their backup system to make sure files are not removed before they are archived e check_disk sh send email if disk space is too low e bro_log_compress sh remove compress old log files These scripts can be customized by editing their settings in BROHOME etc bro cfg The settings are as follows e check disk sh e diskspace pct when disk is gt this percent full send email default 85 e diskspace_watcher list of email addresses to send mail to e bro log compress sh e Days2deletion remove files more than this many days old default 60 e Days2compression compress files more than this many days old default 30 Chapter 5 Bro Output 15 5 Bro Output This section explains the contents of the various output files and reports that Bro creates 5 1 Rotating Log Files There are a number of ways to control the rotation of Bro s log files Here are some examples if using one log must open append default truncate load log append load rotate logs rotate at midnight redef log_rotate_base_time 0 00 do not rotate on shutdown default T redef RotateLogs rotate on shutdown F rotate frequency redef log_rotate_interval 24 hr 5 2 Alarm File 5 2 1 Alarm File Format The alarm log is a tagged format that is fairly self descriptive This is an example from the alarm log file t 1000057981 940712 no AddressScan na NOTICE ALARM ALWAYS sa 10 1 1 1 sp 2222 tcp da 10
79. trings that indicate suspicious activity In you wish to add anything to this list you may want to redef one of these login bro see input trouble and output trouble ftp bro see ftp hot files Sensitive URIs The policy file http request bro contain a list of http URI s that indicate suspicious activity In you wish to add anything to this list you may want to redef one of these sensitive URIS sensitive post URIs Log Files redef this to rotate the log files every N seconds log rotate interval default 0 sec don t rotate redef this to rotate the log files when they get this big log_max_size default 250e6 rotate when any file exceeds 250 MB Chapter 8 Intrusion Prevention Using Bro 45 8 Intrusion Prevention Using Bro Bro includes two important active response capabilities that allow sites to use Bro for intrusion prevention and not just intrusion detection These include the ability to terminate a connection known to be an intrusion and the ability to update a blocking router s access control list ACL to block attacking hosts 8 1 Terminating a Connection The Bro distribution includes a program called rst that will terminate a active connection by sending a TCP reset packet to the sender The ftp and login analyzers look for connections that should be terminated All connections from a forbidden_id get flagged for termination as well as any service defined in terminate_successful_inbound_service Connection termin
80. two incidents the summary is rather uninteresting A glance at this summary would reveal a rather slow day for which you should be thankful Incidents 2 Scanning Hosts Successful 8 Unsuccessful 15 Signature Summary Total signatures Unique signatures Unique sources Unique destinations Unique source dest pairs 1 NNN PN annotation Since the same to ip addresses were involved in both signature attacks there is only one unique source dest pair Unique Unique Unique Signature ID Count Sources Dests Pairs bro 687 5 1 1 1 1 bro 144 3 1 1 1 1 annotation The following legend appears once in every report at the top of the Incidents section legend for connection type C Connection Status number corresponds to alarm triggered by the connection successful connection otherwise unsuccessful I Initiatator of Connection gt connection initiated by remote host lt connection initiated by local host annotation The host domain name org name org will normally be replaced by the local domain name The IP addresses in this example have been syn thesized from an imaginary range outside of the octal range We realize these ip addresses cannot exist In this example the ip ranges 124 333 0 0 24 and 132 257 0 0 24 are considered the local subnets Chapter 5 Bro Output 22 Remote Host 84 136 338 21 p54877614 dip hacker net Local Host 124 333 183 162 pooroljoe dhcp org name org annotation This attacker was successful
81. upplimentary configuration tools supplied with the Bro distribution Direct editing of these files is discouraged If direct edits are made the changes may be reversed or deleted during subsequent Bro updates alert scores This file contains ranking numbers for alarms the use of the term alert is vestigial and will be changed in the future The ranking numbers are used as part of the ranking system for determining the success likelihood of an incident triggering a specific alarm bro cfg This file contains configuration criteria for operational parameters Most of the parameters are set during the installation process and can be changed using the bro config script bro cfg example A annotated generic bro cfg file This file is not used by Bro It is supplied for documen tation purposes bro rc This is the script for controlled starting and stopping of Bro See section for its use bro rc hooks sh This script is called by bro rc at various points during the starting and stopping of Bro It is presented as an interface for customizations into the start and stop process signature scores This file contains ranking numbers for signatures The ranking numbers are used as part of the ranking system for determining the success likelyhood of an incident triggering a specific signature VERSION A file containing the Bro version number for the installed distribution Appendix A Bro Directory and Files 52 A 3 The bro
82. v com com org COM org NET org org org EDU org_name org_name org_name org name org name org name org name org name org name 458 2 3 977 65 58 37 740 O OO OOO Old 1 N Q OBRA OG GO GNO 80 2 6 10 11 7 5 792 995 4 7 17 2 1 58 488 447 195 395 8 0 488 73 SSS 3232353 53 GO SQEB 3B 3BQN 2Q8 41 61 192 220 248 26 1 10 1 22 112 183 2 54 7 48 16 51 Bytes Out E Q HM HM OO UG WOD coa 218740 176788 81622 71407 61309 50493 39977 32883 32152 24361 19785 19734 19334 19066 18811 17283 15961 15154 26 Chapter 5 Bro Output ftp 1061 0 02 1 3 M 873 K ident 970 0 02 29602 9039 printer 834 0 02 837 9176 time 645 0 01 2416 166 imap4 636 0 01 28 M 47 M nntp 308 0 01 355 M 1 5 M pm getport 238 0 01 13328 6664 telnet 164 0 00 469 K 7850 ntp 26 0 00 1344 1392 X11 6 0 00 652 K 64280 annotation Once again this summary gives a general idea of what hosts are most active Radical changes to this list may indicate malicious activity Hot Report Top 20 Local Remote Conn Local Host Remote Host Bytes Bytes Count 124 333 28 60 128 265 128 131 123 G 5327 K 3930 124 333 28 60 128 265 128 132 123 G 5159 K 3927 132 257 64 3 198 328 2 83 2855 M 11 9 G 15097 124 333 34 186 192 342 93 30 2958 M 10 7 G 40033 132 257 64 3 61 283 32 172 7469 M 10393 11 124 333 41 57 128 256 6 34 12 0 M 4490 M 22360 124 333 181 191 81 257 197 163 1350 M 4430 M 3341 132 257 64 3 1
83. var Directory Temporary information about the current Bro instance is stored in the var directory autorestart Contains the word ON if Bro is configured to autorestart pid Contains the process ID number for the current instance of Bro start_time Contains the date and time when the current instance of Bro was started A 4 The bro scripts Directory This directory contains a number of auxiliary scripts used to suppliment Bro s operation bro config A utility script for changing the Bro operational parameters in the bro cfg file bro logchk pl Currently this file does not work A utility program for searching ftp and http log files for activity by specific ip addresses Usage bro logchk pl hrDFHds f filename a ipaddr x ipaddr h print this usage information F using ftp log H using http log r try to resolve IP addresses to hostnames f file log file to parse a ipaddr only output connections from this address sS only want matching source address used with a d only want matching dest address used with a D debug option x ipaddr exclude connections from this address bro log compress sh A very simple script written to manage log and coredump files By default it compresses log files older than 30 days and sends them to the archive directory it deletes log files older than 60 days and it deletes coredump files older than 4 days Restrictions e Must be run from a user account that
84. viruses or worms In addition to the connection to the network tap a separate network connection is recommended for management of Bro and access to log files For more information on taps and tap placement see the Netoptics White paper titled Deploying Network Taps with Intrusion Detection Systems http www netoptics com products pdf Taps and IDS s pdf Bro Intrusion Detection Z Internet Internal firewall DMZ Internal server Computer Web and FTP server Figure 2 1 Typical location for network tap and Bro system 2 2 Hardware and Software Requirements Bro requires no custom hardware and runs on low cost commodity PC style systems How ever the Bro monitoring host must examine every packet into and out of your site so de pending on your site s network traffic you may need a fairly high end machine If you are trying to monitor a link with a large number of connections we recommend using a second system for report generation and run only Bro on the packet capture host Item Requirements Chapter 2 Requirements Processor Operating System Memory Hard disk User privileges Network Interfaces Other Software Note these are rough estimates Much depends on the number of connections second the types of traffic on your network e g HTTP FTP email etc and you can trade off depth of analysis especially which protocols are analyzed for processing load See the Perfor
Download Pdf Manuals
Related Search