Components of Bro GUI Framework

Bro GUI Framework is used to automate the creation and execution of policy scripts. There are basically three components that make Bro GUI Framework. The components are listed below as: 4.3.1 Network Traffic

Network traffic comprises of various protocols like HTTP, ARP, TCP, SNMP etc. These protocol packets are captured and analyzed to detect the intrusions effectively. In this thesis, work has been done on the packets of SMTP, FTP, TCP, HTTP protocols. The network traffic is captured and these protocol packets are filtered in order to alert user about the usage of these packets. Further this filtered traffic can be analyzed and examined. The live traffic needed for experimentation is captured by running the following set of commands as:

 bro –i etho file1 > fille2

This command is used to analyze the network traffic from an interface. To capture the live traffic using Bro, –i option is need to be specified. Instead, to read the data captured in a file, an option –r is used at the place of –i. eth0 specifies the interface receiving the network traffic. So, it is recommended to replace it by the appropriate interface name. file1 here refers to the bro script created by the Make Script Form. This script is saved with an extension of .bro. file2 specifies the name of output file where filtered data is saved.

35

 clear

Like clrscr() function used on windows platforms, clear command is used to clear the terminal on Linux platform. After capturing the live traffic screen is cleared by running the

clear command.

 broctl stop

After screen is cleared, broctl stop command is run to stop all the working processes attached with Bro.

These commands help to trace and examine the filtered traffic. 4.3.2 Creation of Policy Scripts

Policy scripts in Bro allow network administrators to fine-tune their Bro installation in order to specifically search out certain types and patterns of traffic, and define them as malicious. Different policy scripts are created for different types of protocols. The policy scripts in Bro GUI Framework are designed to filter live traffic.

Depending on the traffic to be filtered, various parameters are concatenated to make the policy scripts. Three parameters are discussed based on which various policy scripts are created and differentiated.

 Analyzer

Bro policy script is the basic analyzer used by Bro to determine what network events are alarm worthy. A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize. The simplest way to use an analyzer is to @load the standard script associated with the analyzer. Policy files are loaded by using an @load command. In general, the work associated with a particular analyzer is done if policy script defines one or more event handlers associated with the analyzer. For example, Bro will instantiate an FTP analyzer only if policy script defines an ftp_request or ftp_reply handler. If it does not, then when a new FTP connection begins, Bro will only instantiate a generic TCP

36

analyzer for it. The semantics of @load are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts.

Some policy files loaded are:

@load tcp: Initialize filter for SYN/FIN/RST TCP packets. @load http: General HTTP analyzer.

@load smtp: Record and analyze email traffic. @load ftp: Load FTP packets for analysis.

Some of the common parameters essentially loaded in all the scripts are:

@load weird:Initialize generic mechanism for detecting unusual events.

@load alarm: Open logging file for alarm events.

 Event handler

Specifies name of the handler in Bro language based on which filtration is done. A list of built in handlers is provided in Bro IDS. Some of them are:

a) The tcp analyzer processes traffic associated with SYN/FIN/RST TCP packets. Bro instantiates an tcp analyzer providing event handler tcp_packet is defined.

b) The ftp analyzer processes traffic associated with the FTP file transfer service. Bro instantiates an ftp analyzer for any connection with service port 21/tcp, providing event handler ftp_request is defined.

c) The smtp analyzer processes traffic associated with the email traffic. Bro instantiates an smtp analyzer for any connection with service port 25/tcp, providing smtp_request event handler is defined.

d) The http analyzer processes traffic associated with http packets. Bro instantiates an http analyzer providing event handler http_request is defined.

37

 Arguments defined in handler:

Bro contain a large list of arguments defined in event handler. A set of arguments is needed to be defined in the event handler. They help to define data types of various parameters like length, count, sequence, name etc Depending on the event handler, list of arguments is selected. Some event handlers contain few while some have a large list of argument list. Various Scripts contain some arguments in common. Some of the arguments used are c: connection, is_orig: bool,

command: string, arg: string, flag: string, seq: count, ack: count.

The protocol whose packets are to be filtered is chosen. Based on the selected protocol, arguments are marked and a script is created. The script is saved with a .bro extension. The corresponding script is applied on the live traffic. The filtered traffic is the output and hence, this filtered traffic can be used to detect the intrusions. The Bro GUI Framework automates the process of creation of scripts.

4.3.3 Executing Policy Scripts

The policy scripts created in make script are run on the live traffic in order to get the desired filtered traffic of respective protocol. On selecting the appropriate option, the output i.e filtered traffic is generated. The filtered output is shown on the screen so that users can analyze it and also the filtered traffic is saved in a file on the pre-decided path so that it can be examined for future reference. The filtered traffic e.g. FTP Filtered traffic that serves as output is shown in Figure 4.2

Figure 4.2: Filtered Traffic.