[Bro] NIDS Cluster

Matthias Vallentin vallentin at ICSI.Berkeley.EDU
Fri Mar 14 00:42:26 PDT 2008

I'm cc'ing this issue to the Bro mailing list.

On Mar 14, 2008, at 3:46 AM, Anh Le wrote:

> Hello Matthias,
> I am very interested in your work on NIDS cluster. I have read both
> your Bachelor's thesis and your recent publication in RAID 2007. They
> are very nicely done. However, during my reading, I have several
> questions regarding the Inter-Connection Analysis which I can not find
> the answers. In particular, my questions arise from this paragraph:
> ------------------------------
> Some scripts, however, do require information from multiple
> connections. A prominent example is the scan detector, which counts
> connection attempts per source address. If these reach a certain
> threshold, the system raises an alarm. In the cluster setup, the scan
> detector now must count across backends; we therefore synchronize the
> corresponding tables of counters (which simply entails annotating the
> corresponding script variables with the attribute &synchronized).
> Other examples of scripts needing synchronization are the worm
> detector (which maintains a global list of infected hosts) and the
> SMTP relay detector (which identifies open SMTP relays by associating
> incoming with outgoing mails). Overall, we needed to synchronize 29
> script-level variables spanning 19 different types of analysis.
> ------------------------------
> 1. I can not find details about the 19 types of analysis and 29
> variables mentioned above. I wonder if you could help me with the
> details about them.

Hi Anh,

thanks for delving into these issues so profoundly. I hope I can help  
you with your questions.

At the time of writing the thesis, we counted 29 script variables that  
had to be synchronized in order to maintain the correct global  
semantics. The 19 types of analysis are simply the different uses,  
e.g. scan detection, SMTP relay detection, worm detection, etc.. By  
looking at the &synchronized variables in the code, you can check to  
which type of analysis the variable corresponds. To this end, consult  
Robin's work branch with the most recent updates on cluster work. Here  
is some information that might help you getting started: http://blog.icir.org/search/label/subversion 

> 2. I also wonder if during your experimentation, you have any
> statistics or insights about the percentage of detection requiring
> Inter-Connection Analysis in comparison with the one only requiring
> Intra-Connection Analysis.

We did not explicitly measure the percentage of of inter-connection  
vs. intra-connection ratio. When we performed the measurements, the  
scan detection accounted for largest share of inter-connection  
analysis. The other types of analysis were comparably negligible. Note  
that this greatly depends on your traffic's application mix and may  
greatly vary in different environments.

> 3. Finally, does Bro have any DDoS detection policy scripts which
> require Inter-Connection Analysis?

To my knowledge, no such scripts exist (please correct me if I am  
wrong!). But if they did, they sure would require inter-connection  
analysis, as this type of analysis has global semantics.

Feel free to ask any further questions, preferably to the Bro mailing  
list directly!

Matthias Vallentin
vallentin at icsi.berkeley.edu
pgp/gpg: 0x37F34C16

More information about the Bro mailing list