Last week I spent Monday driving through a few states. It was an eight hour drive. When possible, I prefer driving over flying. While it may take longer, I use the time to listen to podcasts. Since I had taken the SANS System Forensics, Investigation & Response course (SEC 508), I had access to their lectures in MP3 format. The lecture on Computer Investigative Law for Forensic Analysts was prepared and taught by Richard P. Salgado. I had taken the course at a Community SANS event, close to where my brother lives. Yes, I was trying to keep my expenses down, and my brother and his family were kind enough to put me up for the week. While the course was well taught, knowledge of the legal issues of forensics was not the instructors strong point. This was reflected by the fact that the students hated that day. If only they had Richard P. Salgado. He did an amazing job.
Why am I mentioning this on a blog posting on intrusion detection systems (IDS)? The law has an ever increasing role in IT. This is especially true in the area of forensics, incident response, and intrusion detection/prevention. Before you setup any IDS system, make sure you are authorized and legally clear to do so.
With that disclaimer out of the way, I spent the weekend beginning to develop a network monitoring system. Sure, for years I have worked with Snort, but I am doing something different. For those unfamiliar with Snort, to quote their site:
Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
It is a great product. Along with Snort, I have used the Basic Analysis and Security Engine (BASE), which is based on the Analysis Console for Intrusion Databases (ACID) project. BASE provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. If you are pulling down software, I also suggest checking out Sguil.
An intriguing project. This weekend was about setting up an IDS system using Bro. To understand the importance of Bro, you need to first review the different styles of intrusion detection.
- Signature Based – looks for specific, known attacks.
- Pros: good attack libraries, easy to understand results.
- Cons: unable to detect new attacks or even just variants.
- Anomaly Detection – build/infer a profile of “normal use” and flag deviations.
- Pros: potentially detects wide rand of attacks, including previously unknown types of attacks.
- Cons: can be “trained” to accept attacks as normal, and potentially misses a wide rand of attacks including known attacks.
- Activity Based – inspect traffic and construct “events,” look for patterns of activity that deviate from a site policy.
- Pros: potentially detects wide range of attacks (including novel), framework can accommodate signatures and anomalies.
- Cons: policies/specification require significant development and maintenance and harder to construct attack libraries
Snort is a signature based IDS. Bro is an activity based IDS, though it does include a signature engine for matching specific patterns in packet streams. Bro is compatible with Snort. somewhat. With Bro analysis, signature matches generate events which are amenable to high level policy script processing rather than direct alerts. Other difference include that Snort is user friendly and Bro is a beast to learn. Worse still, there are no good guides for Bro. Sure, you can subscribe to the mailing list and there is a Bro Wiki. Geek00l has done some very good postings:
- Regex – Magic for NetSe[x|c]Anal(yst)?
- Bro-IDS: Enable Full Content Data Logging
- Time Machine – Payload Centric
- Bro-IDS v1.2
- Bro-IDS – Signature Matching
- FreeBSD – IDS Sensor Tweaking
- Bro-IDS – The learning process
- Multipurposes post :]
- Bro-IDS – Be Loved
- Bro-IDS – Installation Experience
Geek00l convinced Richard Bejtlich take a second look at Bro, and Richard posted:
That will get you started.
My interest in Bro comes from the fact that a design goal of Bro was to handle high speed, large volume monitoring. Snort, on a security appliance, can handle such traffic. Force10 released such a box, the P10, which can handle up to 1000 signatures. I have worked with the open source version of Snort on high volume networks, and it has not been pleasant. While the P10 might work well, I am interested in different capabilities.
Bro offers an interesting solution to handling monitoring on 10G traffic. If you are working with FreeBSD, there are ways to tune the kernel. While I have previously run into problems with Bro, my past problems were more likely due to trying to work under the Apple environment. Supported 10G Ethernet cards drivers had not yet been developed. Fortunately, that appears to have changed. I’ll post more as I make progress.