Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall...
Transcript of Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall...
![Page 1: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/1.jpg)
Bro Introduction Educause SPC
Seth Hall International Computer Science Institute
Justin Azoff NCSA
![Page 2: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/2.jpg)
![Page 3: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/3.jpg)
Agenda• 1pm-2:30pm - Intro to Bro
• Understanding Bro logs.
• Running Bro.
• 2:30pm-3pm - Break
• 3pm-4:30pm - Scripting
• Hands on exercises.
![Page 4: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/4.jpg)
What is Bro?
• Vern Paxson started it in 1995 in response to conditions at LBL.
• How to think about Bro for the moment:
• Network Traffic in -> detailed traffic logs out.
• Think of it like extended NetFlow.
![Page 5: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/5.jpg)
Bro History
![Page 6: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/6.jpg)
Diversion to look at logs
![Page 7: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/7.jpg)
Back on track
![Page 8: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/8.jpg)
Running Bro By Hand• To run in “base” mode:
• bro -r traffic.pcap
• To run in a “near broctl” mode:
• bro -r traffic.pcap local
• To add extra scripts:
• bro -r traffic.pcap /home/seth/myscript.bro
![Page 9: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/9.jpg)
Getting Bro up and Running• Use Bro Control (broctl)!
• What is broctl?
• Written in python.
• Installed by default with Bro.
• Manages live and long running Bro instances.
• Manages complexity of running clusters.
![Page 10: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/10.jpg)
Network Load Balancing• If your load outstrips capacity of a single host, you need this.
• Several options for flow balancing (no particular order)
• Arista
• NetOptics
• cPacket
• Gigamon
• VSS Monitoring
![Page 11: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/11.jpg)
Common border deployment
Bidirectional Flow balancer
Passive tap copying traffic
Manager Mostly logs and notices (frequently proxies run here too)
Workers Traffic analysis
![Page 12: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/12.jpg)
Getting Bro up and Running
• In many cases, just two files to edit:
• networks.cfg
• node.cfg
• Also, docs on the bro.org website. We have improved cluster docs coming.
![Page 13: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/13.jpg)
networks.cfg
# List of local networks in CIDR notation, optionally followed by a # descriptive tag. # For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
10.0.0.0/8 Private IP space 192.168.0.0/16 Private IP space
![Page 14: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/14.jpg)
node.cfg - standalone# This is a complete standalone configuration. Most likely you will # only need to change the interface. [bro] type=standalone host=localhost interface=eth0
If you have a tiny network and only one interface to monitor this can work.
![Page 15: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/15.jpg)
node.cfg - cluster[manager] type=manager host=host1
[proxy-1] type=proxy host=host1
[worker-1] type=worker host=host2 interface=eth0
[worker-2] type=worker host=host3 interface=eth0
Typically this is what you’ll use.
Bro scales across hosts as a cluster.
![Page 16: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/16.jpg)
On-Host Flow Balancing
• Running one process per host isn’t good when hosts have many CPU cores.
• Scale across cores with on-host flow balancing.
• Most common methods today are PF_Ring and Myricom (with sniffer driver).
![Page 17: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/17.jpg)
Load balancing PF_Ring• Many people use PF_Ring.
• Linux-only
• Configure Bro with PF_Ring’s libpcap wrapper:
./configure --with-pcap=/usr/local/
[manager] type=manager host=host1
[proxy-1] type=proxy host=host1
[worker-1] type=worker host=host2 interface=eth0 lb_method=pf_ring lb_procs=10
node.cfg example
![Page 18: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/18.jpg)
Load balancing Myricom• Many people use Myricom NICs.
• Works on FreeBSD and Linux
• Buy something in the 8B series with the Sniffer Driver (SNF) license (only 10G NICs).
• Configure Bro with Myricom’s libpcap wrapper:
./configure --with-pcap=/opt/snf/
[manager] type=manager host=host1
[proxy-1] type=proxy host=host1
[worker-1] type=worker host=host2 interface=eth0 lb_method=myricom lb_procs=10
node.cfg example
![Page 19: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/19.jpg)
Cluster Checklist
• SSH key based authentication for user running broctl.
• User running Bro has permission to sniff network interface.
• GeoIP data installed on each system.
![Page 20: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/20.jpg)
It’s configured! Now what?
• Run broctl
• [BroControl] > install
• [BroControl] > start
• Check in <prefix>/logs/current for logs.
![Page 21: Bro Introduction Educause SPC - old.zeek.org · Bro Introduction Educause SPC Seth Hall International Computer Science Institute Justin Azoff NCSA. Agenda ... Bro Presentation @ Educause](https://reader034.fdocuments.us/reader034/viewer/2022050203/5f566ab3dbb67b1d354bae55/html5/thumbnails/21.jpg)
Questions?