[Bro] NIDS Cluster
vallentin at ICSI.Berkeley.EDU
Fri Mar 14 00:42:26 PDT 2008
I'm cc'ing this issue to the Bro mailing list.
On Mar 14, 2008, at 3:46 AM, Anh Le wrote:
> Hello Matthias,
> I am very interested in your work on NIDS cluster. I have read both
> your Bachelor's thesis and your recent publication in RAID 2007. They
> are very nicely done. However, during my reading, I have several
> questions regarding the Inter-Connection Analysis which I can not find
> the answers. In particular, my questions arise from this paragraph:
> Some scripts, however, do require information from multiple
> connections. A prominent example is the scan detector, which counts
> connection attempts per source address. If these reach a certain
> threshold, the system raises an alarm. In the cluster setup, the scan
> detector now must count across backends; we therefore synchronize the
> corresponding tables of counters (which simply entails annotating the
> corresponding script variables with the attribute &synchronized).
> Other examples of scripts needing synchronization are the worm
> detector (which maintains a global list of infected hosts) and the
> SMTP relay detector (which identifies open SMTP relays by associating
> incoming with outgoing mails). Overall, we needed to synchronize 29
> script-level variables spanning 19 different types of analysis.
> 1. I can not find details about the 19 types of analysis and 29
> variables mentioned above. I wonder if you could help me with the
> details about them.
thanks for delving into these issues so profoundly. I hope I can help
you with your questions.
At the time of writing the thesis, we counted 29 script variables that
had to be synchronized in order to maintain the correct global
semantics. The 19 types of analysis are simply the different uses,
e.g. scan detection, SMTP relay detection, worm detection, etc.. By
looking at the &synchronized variables in the code, you can check to
which type of analysis the variable corresponds. To this end, consult
Robin's work branch with the most recent updates on cluster work. Here
is some information that might help you getting started: http://blog.icir.org/search/label/subversion
> 2. I also wonder if during your experimentation, you have any
> statistics or insights about the percentage of detection requiring
> Inter-Connection Analysis in comparison with the one only requiring
> Intra-Connection Analysis.
We did not explicitly measure the percentage of of inter-connection
vs. intra-connection ratio. When we performed the measurements, the
scan detection accounted for largest share of inter-connection
analysis. The other types of analysis were comparably negligible. Note
that this greatly depends on your traffic's application mix and may
greatly vary in different environments.
> 3. Finally, does Bro have any DDoS detection policy scripts which
> require Inter-Connection Analysis?
To my knowledge, no such scripts exist (please correct me if I am
wrong!). But if they did, they sure would require inter-connection
analysis, as this type of analysis has global semantics.
Feel free to ask any further questions, preferably to the Bro mailing
vallentin at icsi.berkeley.edu
More information about the Bro