NIDS Cluster

I'm cc'ing this issue to the Bro mailing list.

Hello Matthias,

I am very interested in your work on NIDS cluster. I have read both
your Bachelor's thesis and your recent publication in RAID 2007. They
are very nicely done. However, during my reading, I have several
questions regarding the Inter-Connection Analysis which I can not find
the answers. In particular, my questions arise from this paragraph:

------------------------------
Some scripts, however, do require information from multiple
connections. A prominent example is the scan detector, which counts
connection attempts per source address. If these reach a certain
threshold, the system raises an alarm. In the cluster setup, the scan
detector now must count across backends; we therefore synchronize the
corresponding tables of counters (which simply entails annotating the
corresponding script variables with the attribute &synchronized).
Other examples of scripts needing synchronization are the worm
detector (which maintains a global list of infected hosts) and the
SMTP relay detector (which identifies open SMTP relays by associating
incoming with outgoing mails). Overall, we needed to synchronize 29
script-level variables spanning 19 different types of analysis.
------------------------------

1. I can not find details about the 19 types of analysis and 29
variables mentioned above. I wonder if you could help me with the
details about them.

Hi Anh,

thanks for delving into these issues so profoundly. I hope I can help you with your questions.

At the time of writing the thesis, we counted 29 script variables that had to be synchronized in order to maintain the correct global semantics. The 19 types of analysis are simply the different uses, e.g. scan detection, SMTP relay detection, worm detection, etc.. By looking at the &synchronized variables in the code, you can check to which type of analysis the variable corresponds. To this end, consult Robin's work branch with the most recent updates on cluster work. Here is some information that might help you getting started: http://blog.icir.org/search/label/subversion.

2. I also wonder if during your experimentation, you have any
statistics or insights about the percentage of detection requiring
Inter-Connection Analysis in comparison with the one only requiring
Intra-Connection Analysis.

We did not explicitly measure the percentage of of inter-connection vs. intra-connection ratio. When we performed the measurements, the scan detection accounted for largest share of inter-connection analysis. The other types of analysis were comparably negligible. Note that this greatly depends on your traffic's application mix and may greatly vary in different environments.

3. Finally, does Bro have any DDoS detection policy scripts which
require Inter-Connection Analysis?

To my knowledge, no such scripts exist (please correct me if I am wrong!). But if they did, they sure would require inter-connection analysis, as this type of analysis has global semantics.

Feel free to ask any further questions, preferably to the Bro mailing list directly!

     Matthias