Bro: A System for Detecting Network Intruders in Real-Time

Vern Paxson

Lawrence Berkeley National Laboratory, Berkeley, CA¹
and
AT&T Center for Internet Research at ICSI, Berkeley, CA
vern@aciri.org

Abstract: We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder's traffic transits. We give an overview of the system's design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an ``event engine'' that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a ``policy script interpreter'' that interprets event handlers written in a specialized language used to express a site's security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog. We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the six applications integrated into it so far: Finger, FTP, Portmapper, Ident, Telnet and Rlogin. The system is publicly available in source code form.

1   Introduction

High-speed, large volume monitoring

For our environment, we view the greatest source of threats as external hosts connecting to our hosts over the Internet. Since the network we want to protect has a single link connecting it to the remainder of the Internet (a ``DMZ''), we can economically monitor our greatest potential source of attacks by passively watching the DMZ link. However, the link is an FDDI ring, so to monitor it requires a system that can capture traffic at speeds of up to 100 Mbps.

No packet filter drops

If an application using a packet filter cannot consume packets as quickly as they arrive on the monitored link, then the filter will buffer the packets for later consumption. However, eventually the filter will run out of buffer, at which point it drops any further packets that arrive. From a security monitoring perspective, drops can completely defeat the monitoring, since the missing packets might contain exactly the interesting traffic that identifies a network intruder. Given our first design requirement---high-speed monitoring---then avoiding packet filter drops becomes another strong requirement.

It is sometimes tempting to dismiss a problem such as packet filter drops with an argument that it is unlikely a traffic spike will occur at the same time as an attack happens to be underway. This argument, however, is completely undermined if we assume that an attacker might, in parallel with a break-in attempt, attack the monitor itself (see below).

Real-time notification

One of our main dissatisfactions with our initial off-line system was the lengthy delay incurred before detecting an attack. If an attack, or an attempted attack, is detected quickly, then it can be much easier to trace back the attacker (for example, by telephoning the site from which they are coming), minimize damage, prevent further break-ins, and initiate full recording of all of the attacker's network activity. Therefore, one of our requirements for Bro was that it detect attacks in real-time. This is not to discount the enormous utility of keeping extensive, permanent logs of network activity for later analysis. Invariably, when we have suffered a break-in, we turn to these logs for retrospective damage assessment, sometimes searching back a number of months.

Mechanism separate from policy

Sound software design often stresses constructing a clear separation between mechanism and policy; done properly, this buys both simplicity and flexibility. The problems faced by our system particularly benefit from separating the two: because we have a fairly high volume of traffic to deal with, we need to be able to easily trade-off at different times how we filter, inspect and respond to different types of traffic. If we hardwired these responses into the system, then these changes would be cumbersome (and error-prone) to make.

Extensible

Because there are an enormous number of different network attacks, with who knows how many waiting to be discovered, the system clearly must be designed in order to make it easy to add to it knowledge of new types of attacks. In addition, while our system is a research project, it is at the same time a production system that plays a significant role in our daily security operations. Consequently, we need to be able to upgrade it in small, easily debugged increments.

Avoid simple mistakes

Of course, we always want to avoid mistakes. However, here we mean that we particularly desire that the way that a site defines its security policy be both clear and as error-free as possible. (For example, we would not consider expressing the policy in C code as meeting these goals.)

The monitor will be attacked

We must assume that attackers will (eventually) have full knowledge of the techniques used by the monitor, and access to its source code, and will use this knowledge in attempts to subvert or overwhelm the monitor so that it fails to detect the attacker's break-in activity. This assumption significantly complicates the design of the monitor; but failing to address it is to build a house of cards.

We do, however, allow one further assumption, namely that the monitor will only be attacked from one end. That is, given a network connection between hosts A and B, we assume that at most one of A or B has been compromised and might try to attack the monitor, but not both. This assumption greatly aids in dealing with the problem of attacks on the monitor, since it means that we can trust one of the endpoints (though we do not know which).

In addition, we note that this second assumption costs us virtually nothing. If, indeed, both A and B have been compromised, then the attacker can establish intricate covert channels between the two. These can be immeasurably hard to detect, depending on how devious the channel is; that our system fails to do so only means we give up on something extremely difficult anyway.

2   Structure of the system

---

Figure 1: Structure of the Bro system

---

2.1   libpcap

    port finger or port ftp or tcp port 113 or port telnet or port login or port 111

    tcp[13] & 7 != 0

    ip[6:2] & 0x3fff != 0

2.2   Event engine

2.3   Policy script interpreter

3   The Bro language

3.1   Data types and constants

    USER nice\0USER root

    type conn_id: record {
        orig_h: addr;
        orig_p: port;
        resp_h: addr;
        resp_p: port;
    };

    table[port] of string

    table[conn_id] of ftp_session_info

    /sync|lp|uucp|operator|ezsetup|4dgifts/

3.2   Operators

    23/tcp in sensitive_services

  [src_addr, dst_addr, serv] in RPC_okay

  filename in /rootkit-1\.[5-8]/

3.3   Variables

{class} {identifier} [':' {type}] ['=' {init}]

const IRC = { 6666/tcp, 6667/tcp, 6668/tcp };

const ftp_serv = { ftp.lbl.gov, www.lbl.gov };

const allowed_services = {
   [ftp.lbl.gov, ftp], [ftp.lbl.gov, smtp], [ftp.lbl.gov, ident], [ftp.lbl.gov, 20/tcp],
   [www.lbl.gov, ftp], [www.lbl.gov, smtp], [www.lbl.gov, ident], [www.lbl.gov, 20/tcp],
   [nntp.lbl.gov, nntp]
};

const allowed_services: set[addr, port] = {
   [ftp.lbl.gov, [ftp, smtp, ident, 20/tcp]],
   [www.lbl.gov, [ftp, smtp, ident, 20/tcp]],
   [nntp.lbl.gov, nntp]
};

const allowed_services: set[addr, port] = {
   [ftp_serv, [ftp, smtp, ident, 20/tcp]], [nntp.lbl.gov, nntp]
};

global port_names = {
   [7/tcp] = "echo",
   [9/tcp] = "discard",
   [11/tcp] = "systat",
   ...
};

if ( H == ftp.lbl.gov || H == www.lbl.gov )
    if ( S == ftp || S == smtp || ... )
else if ( H == nntp.lbl.gov )
    if ( S == nntp )
...

if ( [S, H] in allowed_services )
     ... it's okay ...

3.4   Statements

function endpoint_id(h: addr, p: port): string
   {
   if ( p in port_names )
      return fmt("%s/%s", h, port_names[p]);
   else
      return fmt("%s/%d", h, p);
   }

4   Implementation issues

5   Attacks on the monitor

5.1   Overload attacks

5.2   Crash attacks

5.3   Subterfuge attacks

---

Figure 2: A TTL-based evasion attack on an intrusion detection system

---

6   Application-specific processing

6.1   Finger

event finger_request(c: connection, user: string, full: bool)

event finger_reply(c: connection, reply_line: string)

6.2   FTP

6.3   Portmapper

6.4   Ident

6.5   Telnet and Rlogin

6.6   Scan detection

7   Status and Experiences

7.1   Implementation status

7.2   Performance

7.3   Crud seen on a DMZ

• ``Storms'' of 10,000 FIN or RST packets, in which due to a protocol implementation error two hosts exchange FIN or RST packets extremely rapidly.
• Storms due to foggy days.<sup>5</sup>
• ``Private'' Internet addresses [Re96] leaking out into the public Internet. These addresses are inherently unroutable, and should never be used by a public Internet connection.
• SYN packets with the ``Urgent'' bit set. For SYN packets, setting ``urgent'' does not make any sense, since the connection is not yet established and hence cannot possibly have urgent data to send. Such packets are problematic, however, because some firewalls and monitors that are not carefully coded look for the beginning of connections to be indicated by the TCP ``flags'' field being equal to the SYN flag, rather than simply having the SYN flag set. When the Urgent bit is set, the field is no longer equal to the SYN flag.
• TCPs that when retransmitting data can send different data for the same sequence numbers as they sent the first time.
• TCPs that sometimes acknowledge receipt of data never sent.
• IP fragments in which the initial fragment is very small and the final fragment is large. Such fragments can be used to attempt to circumvent firewalls and monitors that do not do fragment reassembly.
• Fragments with the ``Don't Fragment'' bit set. While allowed by the IP standard, it is difficult to envision a situation in which such fragments can be legitimately constructed, yet we do indeed see them on clearly innocuous traffic.
• Overlapping fragments, in which the end of the first fragment is common with the beginning of the second. Such fragments are also used for ``teardrop'' denial-of-service attacks.
• Overlapping fragments for which the two fragments disagree on the contents of the overlapped region.

8   Future directions

9   Acknowledgements

A   Example: tracking Finger traffic

void FingerConn::BuildEndpoints()
   {
   resp = new TCP_EndpointLine(this, 1, 0, 1);
   orig = new TCP_EndpointLine(this, 0, 0, 1);
   }

int FingerConn::NewLine(TCP_Endpoint* /* s */, double /* t */, char* line)
   {
   line = skip_whitespace(line);

   // Check for /W.
   int is_long = (line[0] == '/' && toupper(line[1]) == 'W');
   if ( is_long )
      line = skip_whitespace(line+2);

   val_list* vl = new val_list;
   vl->append(BuildConnVal());
   vl->append(new StringVal(line));
   vl->append(new Val(is_long, TYPE_BOOL));

   mgr.QueueEvent(finger_request, vl);
   return 0;
   }

type endpoint: record {
   size: count; state: count;
};
type connection: record {
   id: conn_id;
   orig: endpoint; resp: endpoint;
   start_time: time;
   duration: interval;
   service: string;      # if empty, service not yet determined
   addl: string;
   hot: count;           # how hot; 0 = don't know or not hot
};

global hot_names = { "root", "lp", "uucp" };
global finger_log =
              open(getenv("BRO_ID") == "" ?
                         "finger.log" : fmt("finger.%s", getenv("BRO_ID")));

event finger_request(c:connection, request: string, full: bool)
   {
   if ( byte_len(request) > 80 ) {
      request = fmt("%s...", sub_bytes(request, 1, 80));
      ++c$hot;
   }

   if ( request in hot_names )
      ++c$hot;

   local req = request == "" ?  "ANY" : fmt("\"%s\"", request);

   if ( c$addl != "" )
      # This is an additional request.
      req = fmt("(%s)", req);

   if ( full )   
      req = fmt("%s (/W)", req);

   local msg = fmt("%s > %s %s", c$id$orig_h, c$id$resp_h, req);

   if ( c$hot > 0 )
      log fmt("finger: %s", msg);

   print finger_log, fmt("%.6f %s", c$start_time, msg);

   c$addl = c$addl == "" ?  req : fmt("*%s, %s", c$addl, req);
   }

880988813.752829 171.64.15.68 > 128.3.253.104 "feng"
880991121.364126 131.243.168.28 > 130.132.143.23 "anlin"
880997120.932007 192.84.144.6 > 128.3.32.16 ALL
881000846.603872 128.3.9.45 > 146.165.7.14 ALL (/W)
881001601.958411 152.66.83.11 > 128.3.13.76 "davfor"

References

[Ax99]

AXENT Technologies, Intruder Alert, http://www.axent.com/product/smsbu/ITA/, 1999.

[Br88]

R. Brown, ``Calendar Queues: A Fast O(1) Priority Queue Implementation for the Simulation Event Set Problem,'' Communications of the ACM, 31(10), pp. 1220-1227, Oct. 1988.

[Ci99]

Cisco Systems, NetRanger, http://www.cisco.com/warp/public/cc/cisco/mkt/ security/nranger/index.html, 1999.

[CT94]

C. Compton and D. Tennenhouse, ``Collaborative Load Shedding for Media-Based Applications,'' Proc. International Conference on Multimedia Computing and Systems, Boston, MA, May. 1994.

[In99]

Internet Security Systems, Inc., RealSecure^TM, http://www.iss.net/prod/rs.php3, 1999.

[JLM89]

V. Jacobson, C. Leres, and S. McCanne, tcpdump, available via anonymous ftp to ftp.ee.lbl.gov, Jun. 1989.

[Ka91]

B. Kantor, ``BSD Rlogin,'' RFC 1282, Network Information Center, SRI International, Menlo Park, CA, Dec. 1991.

[MJ93]

S. McCanne and V. Jacobson, ``The BSD Packet Filter: A New Architecture for User-level Packet Capture,'' Proc. 1993 Winter USENIX Conference, San Diego, CA.

[MLJ94]

S. McCanne, C. Leres and V. Jacobson, libpcap, available via anonymous ftp to ftp.ee.lbl.gov, 1994.

[MHL94]

B. Mukherjee, L. Heberlein, and K. Levitt, ``Network Intrusion Detection,'' IEEE Network, 8(3), pp. 26-41, May/Jun. 1994.

[Ne99]

Network Flight Recorder, Inc., Network Flight Recorder, http://www.nfr.com, 1999.

[PS93]

V. Paxson and C. Saltmarsh, ``Glish: A User-Level Software Bus for Loosely-Coupled Distributed Systems,'' Proc. 1993 Winter USENIX Conference, San Diego, CA.

[Pa94]

V. Paxson, ``Empirically-Derived Analytic Models of Wide-Area TCP Connections,'' IEEE/ACM Transactions on Networking, 2(4), pp. 316-336, Aug. 1994.

[Pa96]

V. Paxson, flex, available via anonymous ftp to ftp.ee.lbl.gov, Sep. 1996.

[Pa97a]

V. Paxson, ``End-to-End Internet Packet Dynamics,'' Proc. SIGCOMM '97, Cannes, France, Sep. 1997.

[Pa97b]

V. Paxson, ``End-to-End Routing Behavior in the Internet,'' IEEE/ACM Transactions on Networking, 5(5), pp. 601-615, Oct. 1997.

[Pa98]

V. Paxson, ``Bro: A System for Detecting Network Intruders in Real-Time,'' Proc. 7th USENIX Security Symposium, Jan. 1998.

[PR83a]

J. Postel and J. Reynolds, ``Telnet Protocol Specification,'' RFC 854, Network Information Center, SRI International, Menlo Park, CA, May 1983.

[PR83b]

J. Postel and J. Reynolds, ``Telnet Option Specifications,'' RFC 855, Network Information Center, SRI International, Menlo Park, CA, May 1983.

[PR85]

J. Postel and J. Reynolds, ``File Transfer Protocol (FTP),'' RFC 959, Network Information Center, SRI International, Menlo Park, CA, Oct. 1985.

[PN98]

T. Ptacek and T. Newsham, ``Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection,'' Secure Networks, Inc., http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps, Jan. 1998.

[PZCMO96]

N. Puketza, K. Zhang, M. Chung, B. Mukherjee and R. Olsson, ``A Methodology for Testing Intrusion Detection Systems,'' IEEE Transactions on Software Engineering, 22(10), pp. 719-729, Oct. 1996.

[RLSSLW97]

M. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth and E. Wall, ``Implementing a generalized tool for network monitoring,'' Proc. LISA '97, USENIX 11th Systems Administration Conference, San Diego, Oct. 1997.

[Re96]

Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear, ``Address Allocation for Private Internets,'' RFC 1918, Feb. 1996.

[Sr95a]

R. Srinivasan, ``RPC: Remote Procedure Call Protocol Specification Version 2,'' RFC 1831, DDN Network Information Center, Aug. 1995.

[Sr95b]

R. Srinivasan, ``XDR: External Data Representation Standard,'' RFC 1832, DDN Network Information Center, Aug. 1995.

[S-J93]

M. St. Johns, ``Identification Protocol,'' RFC 1413, Network Information Center, SRI International, Menlo Park, CA, Feb. 1993.

[To99]

Touch Technologies, Inc., INTOUCH INSA, http://www.ttisms.com/tti/nsa_www.html, 1999.

[WFP96]

G. White, E. Fisch and U. Pooch, ``Cooperating Security Managers: A Peer-Based Intrusion Detection System,'' IEEE Network, 10(1), pp. 20-23, Jan./Feb. 1994.

[Zi91]

D. Zimmerman, ``The Finger User Information Protocol,'' RFC 1288, Network Information Center, SRI International, Menlo Park, CA, Dec. 1991.

1

This paper appears in Computer Networks, 31(23--24), pp. 2435--2463, 14 Dec. 1999. This work was supported by the Director, Office of Energy Research, Office of Computational and Technology Research, Mathematical, Information, and Computational Sciences Division of the United States Department of Energy under Contract No. DE-AC03-76SF00098. An earlier version of this paper appeared in the Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.

2

Or at least appear, according to their product literature, to do the same things---we do not have direct experience with any of these products.

A somewhat different sort of product, the ``Network Flight Recorder,'' is described in [RLSSLW97], though it is now increasingly used for intrusion detection [Ne99].

3

There is a subtle design decision involved with processing all of the generated events before proceeding to read the next packet. We might be tempted to defer event processing until a period of relatively light activity, to aid the engine with keeping up during periods of heavy load. However, doing so can lead to races: the ``event control'' arrow in Figure 1 reflects the fact that the policy script can, to a limited degree, manipulate the connection state maintained inside the engine. If event processing is deferred, then such control may happen after the connection state has already been changed due to more recently-received traffic. So, to ensure that event processing always reflects fresh data, and does not inadvertently lead to inconsistent connection state, we process events immediately, before moving on to newly-arrived network traffic.

4

Some systems, such as DIDS and CSM, orchestrate multiple monitors watching multiple network links, in order to track users as they move from machine to machine [MHL94, WFP96]. These differ from what we envision for Bro in that they require each host in the network to run a monitor.

5

One of the routers on our DMZ has a microwave link to a peer on the other side of San Francisco Bay. On foggy days, this link sometimes ``flaps,'' leading to routing loops on the DMZ in which sets of packets enter routing loops and cross the DMZ 10's or 100's of times, until their TTLs expire.

6

We do indeed see occasional multiple requests. So far, they have all appeared fully innocuous.

This document was translated from L^AT_EX by H^EV^EA.