revised paper on the Bro network-intrusion detection system

[Vern Paxson <vern () ee lbl gov>]

A revised version of the Bro paper, which appears in Computer
Networks 31(23-24), Dec. 1999, is now available from:

        ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

It has a number of tweaks over the USENIX version, none major, but together
totalling a medium-grade revision.  I've appended the abstract.

                Vern


Bro: A System for Detecting Network Intruders in Real-Time

Vern Paxson

Network Research Group, Lawrence Berkeley National Laboratory   and
AT&T Center for Internet Research at ICSI (ACIRI)
vern () aciri org

We describe Bro, a stand-alone system for detecting network intruders in
real-time by passively monitoring a network link over which the intruder's
traffic transits.  We give an overview of the system's design, which
emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear
separation between mechanism and policy, and extensibility.  To achieve
these ends, Bro is divided into an ``event engine'' that reduces a
kernel-filtered network traffic stream into a series of higher-level
events, and a ``policy script interpreter'' that interprets event handlers
written in a specialized language used to express a site's security
policy.  Event handlers can update state information, synthesize new
events, record information to disk, and generate real-time notifications
via syslog.  We also discuss a number of attacks that attempt to subvert
passive monitoring systems and defenses against these, and give particulars
of how Bro analyzes the six applications integrated into it so far:
Finger, FTP, Portmapper, Ident, Telnet and Rlogin.  The system is publicly
available in source code form.