Bro: A Network Intrusion Detection System

Intrusion detection is critical for network security. Use Bro to catch miscreants red-handed.

The commercialization of the Internet has both disrupted and reinvented the way business is conducted. Propelled by pervasive connectivity, even small endeavors can global reach, maintain uninterrupted, perennial business hours, and leverage automation and connectivity on an unprecedented scale.

But with these new opportunities comes additional risk. Computers connected to the Internet aren’t quarantined or isolated; instead, the Internet Protocol (IP) connects virtually any computer to any other computer, providing an open avenue for malfeasance, such as as denial-of-service attacks, spoofing, and intrusions.

To counter, firewalls police incoming traffic. But firewalls aren’t perfect, so many organizations deploy further safeguards to detect breaches. One of the most popular additional countermeasures is an intrusion detection system (IDS). The idea? If you can’t beat ’em, at least detect ’em.

There are two types of intrusion detection systems: a host-based intrusion detection system and a network-based intrusion detection system. (The nomenclature is somewhat unfortunate: the names reflect each type’s intent, not the kind of hardware required to run the IDS.)

*A host-based IDS (HIDS) monitors activity and changes on an individual system to determine if that system has been breached. A HIDS scans the system, comparing the system to a “trusted” snapshot. The snapshot is rarely a complete image of the system; alternately, the HIDS is tailored to detect certain attacks by watching specific files. Checksums are used to compare what exists to what’s trusted. On Linux and Unix systems, typical files to monitor include password files, setuid files, new network interfaces, and more.

*A network IDS (NIDS), on the other hand, is an IDS that scans network traffic to detect intrusions. Traditionally, there have been two techniques for NIDS: one watches for a signature (pattern) of malicious traffic, and the other performs anomaly analysis.

A NIDS signature can be quite complex or very simple, but the approach is the same: a real-time sensor compares incoming traffic to notorious signatures. For example, an attack that tries to break out of the virtual file system of a Web server typically sends commands to fetch data outside the “root” directory, using the path ../. A (contrived) signature such as TCP:80:PAYLOAD:../: might set off alarm bells if TCP traffic on port 80 referred to ../. Each NIDS has its own signature format, which may also include other directives, such as an alert level, a description, and a severity.

Anomaly detection looks for unusual activity, as defined by the system and network administrators. For example, Web traffic destined for a server that doesn’t run a Web server would surely be deemed suspicious.

A NIDS isn’t necessarily better than a HIDS, because the two serve different purposes; however, a NIDS can monitor multiple hosts at a time. To take advantage of this capability, though, a network must be configured to either route traffic through the NIDS or to route all traffic to the NIDS as well as the traditional router. The NIDS must also be configured with high enough capacity to capture all the traffic, and in some cases record the traffic to disk. Additionally, the interface provisioned for intrusion detection must also be configured to pass all traffic up the protocol stack. Luckily, most cards made for AMD and Intel processors and Linux support promiscuous mode directly.

An Intro to Bro

Bro (http://www.bro-ids.org/) is a NIDS, with a twist. Bro supports signature analysis, and in fact can read Snort signatures. (Snort is one of the most popular NIDS available.) Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion. For example, many companies use the so-called RFC 1918 private addresses for internal networks. Bro can be configured to identify an intrusion based upon seeing the network on an external interface, which likely means someone is spoofing the address in an effort to “scale” the firewall and send traffic to the internal network.

Bro runs on many versions of Linux and Unix. (Unfortunately, the Bro Web site doesn’t specify how well each Linux is supported. In some cases, you may have to do some research and tinkering to get Bro to build on your favorite distribution.) For this article, the server ran Trustix Linux Server version 2.2 (TLS) and Bro version 1.1 (the most current version at press time). Trustix lends itself well to a NIDS, because it’s relatively small, is free of most desktop applications, and is one of the more secure versions of Linux.

Bro requires a recent version of the libpcap, openssl, and termcap libraries. libpcap version 2.0.8, openssl version 0.9.7, and termcap version 11.0.1 were used for this article. The latter versions are distributed with Trustix.