Bro: An Open Source Network Intrusion Detection System
نویسنده
چکیده
Bro is a powerful, but largely unknown open source network intrusion detection system. Based on a sound design, Bro achieves its main goals – separating policy from mechanisms, efficient operation in high-volume networks, and withstanding attacks against itself – by using an event-driven approach. Bro contains several analyzers (e.g. protocol decoders for a variety of network protocols and a signature matching engine), which are by themselves policy-neutral but raise events as an abstraction of the underlying network activity. Based on scripts written in Bro’s own powerful scripting language, the user defines event handlers to specify his environment-specific policy. We give an overview about the design and implementation of Bro, describe our experiences with deploying it in a large-scale research environment, and present some of our extensions.
منابع مشابه
An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems
Network Intrusion Detection is, in a modern network, a useful tool to detect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan detection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability t...
متن کاملA Fast Worm Scan Detection Tool for VPN Congestion Avoidance
Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote subsidiaries can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking ano...
متن کاملSplit/Merge: System Support for Elastic Execution in Virtual Middleboxes
Developing elastic applications should be easy. This paper takes a step toward the goal of generalizing elasticity by observing that a broadly deployed class of software— the network middlebox—is particularly well suited to dynamic scale. Middleboxes tend to achieve a clean separation between a small amount of per-flow network state and a large amount of complex application logic. We present a ...
متن کاملViable network intrusion detection in high-performance environments
Network intrusion detection systems (NIDS) continuously monitor network traffic for malicious activity, raising alerts when they detect attacks. However, high-performance Gbps networks pose major challenges for these systems. Despite vendor promises, they often fail to work reliably in such environments. In this work, we set out to understand the trade-offs involved in network intrusion detecti...
متن کاملImprovement and parallelization of Snort network intrusion detection mechanism using graphics processing unit
Nowadays, Network Intrusion Detection Systems (NIDS) are widely used to provide full security on computer networks. IDS are categorized into two primary types, including signature-based systems and anomaly-based systems. The former is more commonly used than the latter due to its lower error rate. The core of a signature-based IDS is the pattern matching. This process is inherently a computatio...
متن کامل