Bro: A System for Detecting Network Intruders in Real-Time

Get BibTex-formatted data

Author

Vern Paxson

Entry type

inproceedings

Abstract

We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder\'s traffic transits. We give an overview of the system\'s design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an \"event engine\" that reduces a kernelfiltered network traffic stream into a series of higherlevel events, and a \"policy script interpreter\" that interprets event handlers written in a specialized language used to express a site\'s security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog. We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the four applications integrated into it so far: Finger, FTP, Portmapper and Telnet. The system is publicly available in source code form.

URL

http://www.cs.jhu.edu/~fabian/ ... 424/course_papers/bro.pdf

Address

San Antonio, Texas

Key alpha

Paxson

Publisher

Proceedings of the 7th USENIX Security Symposium

Affiliation

Lawrence Berkeley National Laboratory

Publication Date

2001-01-01

Language

English

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Inproceedings{ Paxson,
	title = "Bro: A System for Detecting Network Intruders in Real-Time",
	author = "Vern Paxson",
	address = "San Antonio, Texas",
	publisher = "Proceedings of the 7th USENIX Security Symposium",
	abstract = "We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder\'s traffic transits.  We give an overview of the system\'s design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility.  To achieve these ends, Bro is divided into an \"event engine\" that reduces a kernelfiltered network traffic stream into a series of higherlevel events, and a \"policy script interpreter\" that interprets event handlers written in a specialized language used to express a site\'s security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog.  We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the four applications integrated into it so far: Finger, FTP, Portmapper and Telnet.  The system is publicly available in source code form.  ",
	affiliation = "Lawrence Berkeley National Laboratory",
	language = "English",
	url = "http://www.cs.jhu.edu/~fabian/courses/CS600.424/course_papers/bro.pdf",
}