Network analysis with the Bro Network Security Monitor
Got Your Back
The Bro Network Security Monitor (Bro) is a network-based analysis framework. Bro's powerful analysis engine makes it adept at high-performance network monitoring, protocol analysis, and real-time application layer state information. This makes Bro a very good intrusion detection system (IDS) and network analysis framework. For this reason, analysis around IDS is one of the most popular uses for Bro.
What are some examples of analysis around IDS? Often, investigations concerning intrusions are not just about the identification of the event, which can often be accomplished with signatures, but about identification of the details of events to help information security professionals zone in on specific problems and solutions. Because logs can be compromised during an event, logging outside a compromised system is important. For example, while DHCP services are being compromised, protocol-level analysis can be key to understanding the event.
Bro was originally developed in 1994 by Vern Paxson and was named in reference to George Orwell's Big Brother from his novel Nineteen Eighty-Four . Unix history buffs and computer science majors may recognize Paxson as the original author of flex, the fast lexical analyzer. In this article, I cover the architecture, installation, and use of Bro. Finally, I look at a DHCP compromise example.
Bro Architecture
Bro, like many network tools with a Unix or Linux heritage, uses the libpcap package as part of its architecture. With libpcap support, Bro can run on various networks; the typical Bro architecture is shown in Figure 1.
Besides the portability gained by using libpcap, Bro can also be a passive network tool, which means it can act as a network tap or use a monitoring port on a switch without itself being a node with an assigned IP address on the monitored network. For the purposes of this article, I will not cover the specifics of the network tap; however, the basic step for carrying out the Bro configuration is to point Bro at the network interface that is being used for the network tap.
Once Bro receives an IP packet, its application architecture comes into play. Bro's event engine is responsible for accepting packets and converting them to events. The events are then forwarded to the policy script interpreter, which then creates outputs. Bro's application architecture can be represented as shown in Figure 2. Bro's outputs are further classified as actions, alerts, and logs, which I review shortly.
Dependencies
Like most Linux solutions, Bro doesn't recreate the wheel for all of its functionality. It uses several pre-existing libraries. The capability to collect and parse Ethernet and IP traffic comes from libpcap [1]. Bro controls it with BroControl, which requires Bash and Python, as well as the BIND 8 and libz libraries. The latest dependencies and high-level instructions for Bro can be referenced at the Bro website [2].
The installation instructions I cover here are based on a CentOS 6.5 Linux distribution. (Note: At the time of publication, CentOS 7 still has a missing dependency for the Python libraries.) The latest Bro packages are included in source and binary form [3]. On CentOS, I download the Bro full install with:
# wget https://www.bro.org/downloads/release/Bro-2.3.1-Linux-x86_64.rpm
Next, I install the Bro RPM package with:
# rpm -ivh Bro-2.3.1-Linux-x86_64.rpm
After the installation completes, Bro can be found in the /opt/bro/
directory, which contains the bin
, etc
, include
, lib
, and share
subdirectories. To fire up Bro immediately, I use broctl
:
# /opt/bro/bin/broctl warning: cannot read '/var/opt/bro/spool/broctl.dat' \ (this is ok on first run) Welcome to BroControl 1.3 Type "help" for help. [BroControl] >
As the message states, I can ignore the "cannot read" warning message during the first run.
Installing the Policy
At this point, I can install the standard Bro policies by executing the install
command at the BroControl prompt:
[BroControl] > install creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done.
Now that a policy has been installed, the next step is to tell BroControl to start up a Bro instance with the start
command:
[BroControl] > start starting bro ... [BroControl] >
Whenever Bro starts up, it starts its daemon to listen to all the traffic defined in its /opt/bro/etc/node.cfg
file. This is eth0
by default. If I were setting up a host on another interface, then I would edit node.cfg
to point to the appropriate interface.
Buy this article as PDF
(incl. VAT)