7th USENIX Security Symposium, San Antonio, Texas
Bro: A System for Detecting Network Intruders in Real-Time
Lawrence Berkeley National Laboratory
We describe Bro, a stand-alone system for detecting network
intruders in real-time by passively monitoring a network link over
which the intruder's traffic transits. We give an overview
of the system's design, which emphasizes
high-speed (FDDI-rate) monitoring, real-time notification,
clear separation between mechanism and policy, and extensibility.
To achieve these ends, Bro is divided into an ``event engine''
that reduces a kernel-filtered network traffic stream into a series of
higher-level events, and a ``policy script interpreter'' that
interprets event handlers written in a specialized language used to express
a site's security policy. Event handlers can update state information,
synthesize new events, record information to disk, and generate real-time
notifications via syslog. We also discuss a number of attacks that
attempt to subvert passive monitoring systems and defenses against these,
and give particulars of how Bro analyzes the four applications
integrated into it so far: Finger, FTP, Portmapper and Telnet.
The system is publicly available in source code form.
- View the full text of this paper in
HTML form and
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.