9 Haziran 2017 Cuma

What is BroIDS?

A short introduction of what is BroIDS (or shortly with general use Bro):
Bro Intrusion Detection System
BroIDS is an open-source, Unix-based,  network-based IDS. It was developed by Vern Paxson at Lawrence Berkeley National Lab and the International Computer Science Institute. As all NIDS, BroIDS monitors the network traffic to look for any suspicious activity. It parses the network traffic to dig out its application-level semantics and then executes event-oriented analyzers to compare the activities with patterns (whenever a suspicious activity is found on the network, IDS logs them, and those activities are used as patterns to check for similar activities). (1)
BroIDS is an open-source network security monitor which inspects network traffic looking for suspicious activity. The BroIDS framework provides an extensible scripting language that allows an analysis of application to protocol level traffic. All built-in and user added BroIDS scripts output data to log files which can be further analyzed to detect malicious activities. (2)
Features of BroIDS
  • network-based IDS
  • custom scripting language,
  • pre-defined policy scripts,
  • snort signature compatibility support,
  • powerful signature matching facility,
  • different approach of network analysis,
  • detection follows an immediate action. (1)
BroIDS detects definite and abnormal activities, such as certain hosts connecting to certain services, using signatures and patterns of failed connection attempts. As BroIDS logs all activities in detail, it is most useful in network forensic investigations. BroIDS is popular, as it targets high speed, high volume intrusion, and detects using powerful packet filtering techniques to accomplish the essential performance. (1)
Bro is not:
  • an IDS,
  • an IPS,
  • an alerting system,
  • a SIEM,
  • an awesome frontend,
  • a silver bullet, (3)
Analyzing the Traffic
First, BroIDS filters the network traffic and then the remaining information is sent to its event engine, where BroIDS interprets the structure of the network packets and abstracts them into higher-level  events  describing  the  activity. Lastly,  BroIDS  implements  policy  scripts against the events, looking for possible intrusions. (1) 
Policy scripts
BroIDS is an open-source network security monitor that has been in development since 1995. The power of BroIDS is in the extensible scripting engine that analyzes the packet data. There are a wide array of out-of-the-box, pre-written scripts that ship with BroIDS that analyze network traffic. These local scripts write to six different categories of logs; network protocols, files, detection, network observations, miscellaneous, and diagnostics. (2)
"Bro uses a specialized policy language that allows a site to tailor Bro's operation, both as site policies evolve and as new attacks are discovered.” These scripts are program written in BroIDS language and have all the rules describing the types of events which are potential intrusions and these policy scripts analyze the activities then initiate actions based on the analysis. It records the activities seen on the network as files and also generates alerts. It is a good idea to consider “Why Bro needs a special language?”, because this is a language which understands specific notions such as ports, IP addresses, connections  etc. and has a different approach to analyze the network to make the task easy. Users of BroIDS need not to learn the BroIDS language to run it. (1)

These scripts take action such as follows:ƒ
  • generating output files which have recorded events on the monitored network,
  • generating alerts if it sees a problem,
  • terminating the existing connections,
  • blocking traffic by placing blocks in to router ACL,
  • sends e-mail messages to the user to report events. (1)
BroIDS can analyze the network with deep levels of abstraction and stores all the past activities and integrate with new ones. (1)
BroIDS can inspect network traffic in real-time or look into a packet capture file that was previously recorded. As part of the analysis, BroIDS looks for known attacks in the same way a typical intrusion detection system would. The benefit of BroIDS is that all connections, sessions, and application level data are written to an extensive set of log files for later review. (2)

25 Mayıs 2017 Perşembe

Next-Generation IPS Requirements

From the White Paper of "McAfee Network Security Platform: The Next-Generation Network IPS"

Requirements for next-generation network intrusion prevention

Gartner Research recently introduced several new criteria for “next-generation network intrusion prevention” that, if adopted, will help organizations deal with the new threat landscape. The Gartner definition for next-generation network intrusion prevention includes the following:

  • Standard first-generation IPS capabilities to support vulnerability-facing signatures and threat-facing signatures: An IPS engine that can perform detection and blocking at wire speeds and rapidly develop and deploy signatures, is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall, based on IPS inspection.
  • Application awareness and full-stack visibility to identify applications and enforce network security policy: This needs to occur at the application layer, independent of the port and protocol, rather than only ports, protocols, and services. Examples include the ability to block families of attacks, based on identifying hostile applications.
  • Context awareness to bring information from sources outside the IPS to make improved blocking decisions or to modify the blocking rule base: Examples include using directory integration to tie decisions to user identities and using vulnerability, patching state and geolocation information (such as where the source is from or where it should be from) to make more effective blocking decisions. It could also include integrating reputation feeds, such as blacklists and whitelists of addresses.
  • Content awareness of various file types and communications: It should be able to inspect and classify inbound executables and other similar file types, such as PDF and Microsoft Office files (which have already passed through antivirus screening), as well as outbound communications. In addition, it should make pass, quarantine, or drop decisions in near real time.
  • Agile engine: It should support upgrade paths for the integration of new information feeds and new techniques to address future threats, including hitless upgrades, global threat intelligence integration, scalable hardware, signature updates, Snort-capable), packet capture, and complementary solutions (Source: Gartner, Defining Next-Generation Network Intrusion Prevention, 2011)

23 Ocak 2017 Pazartesi

IoT Ransomware...

How close (far) are we from this point?