Query reagrding Bro Ids

Manoj_Petshali · July 12, 2019, 4:51am

Hi Team,

I am very eager about the Bro and need to know below information :

-We are working in india’s biggest transactional system and facing many issues e.g.

: if some user request is coming from pubic or private network (Internal request) and traverses across many servers and if user receives timeout ( e.g. connection time out, read time out ,rst etc) then we need to know the deep analysis of the same means :

: Why/where the request timed out ?
: Upto which hop the request travelled?
: Network latency between these hopes to know if the latency is the issue?
: tcp handshake and ssl handshake latency and the reason for the same?
: Applicatency latency ? means if the network latency is fine

We searched on wen and got feeling that the Bro is more oriented toward security and do deep packe inspection.But we have many problems like above to resolve .May you please let us know that how Bro can help us to resolve above issues?

Manoj_Petshali · July 12, 2019, 8:24am

Hi Team,

Please respond as we need to implement the same at the earliest.

Jim_Mellander · July 12, 2019, 8:17pm

Hi Manoj:

The issue you described seems more on the networking side, rather than the IDS side. However, it seems likely that a much bigger issue that a business like yours would face would be that of cybersecurity, in particular, securing your servers from unauthorized intrusion and data exfiltration. In this, Zeek (the opensource IDS formerly known as Bro) can play an important role in early detection of possible intrusions.

Hope this helps,

Jim

Aashish_Sharma1 · July 12, 2019, 8:34pm

Hello Manoj,

you can sure use zeek to get more visibility into your traffic and connections.
It has a pretty good and powerful tcp analysis engine built into. I am sure zeek
can get you a lot of diagnostic data - I say that from our experience at
Berkeley Lab where we do a lot of proactive blocking and always rely on zeek's
conn.log (and similar) to look into connectivity issues. So to me what you
seek, is not too difficult.

The difficult part for you is going to be getting this traffic into zeek or
putting taps/sensors at the right places.

Do you have taps on the points you want to monitor ?

Aashish

Manoj_Petshali · July 13, 2019, 8:07am

Hi Ashish,

Thanks a lot for your response.
we do not have taps/sensors as of now. if we have taps placed at right places , may you elaborate what kind of difficulty we may face?
Also let me know if we can filter and send the traffic (without payload) according to our requirement e.g. flags only like syn, synack,ack, timeout etc to zeek for troubleshooting.
May you please share some data/charts depicting the information we are looking for (as per the trail mail ) so that we may proceed further.

Aashish_Sharma1 · July 17, 2019, 8:02pm

Manoj,

(Apologies for the delayed reply!)

we do not have taps/sensors as of now. if we have taps placed at right
places , may you elaborate what kind of difficulty we may face?

That is generally the most difficult part - to put the taps in right places to be
able to sniff the bytes - gain visibility.

YOu might have issues with encryption - in which case you'd still see connection
info but not the contents. I know some sites have workaround where the taps are
'beyond encryption' - ie you might want to tap behind load balancers where SSL
terminates etc.

If you are able to do that, you should be able to get zeek running and seeing
the traffic and also reporting tcp flags/states etc.

Also let me know if we can filter and send the traffic (without payload)
according to our requirement e.g. flags only like syn, synack,ack, timeout
etc to zeek for troubleshooting.

Yes, you can do that - as long as control packets are sent, zeek is able to
handle most, if not all, of connection info. We at Berkeley Lab do this for one
of our deployment.

May you please share some data/charts depicting the information we are
looking for (as per the trail mail ) so that we may proceed further.

I am afraid I don't have data/charts for information you are looking for handy
with me. I'd advice you should run zeek on a laptop/linux box - feed it some
data and see if you are seeing what you desire. If so, you can scale up to your
needs.

roughly 4 years ago we did write a document which shows how you'd deploy zeek:
go.lbl.gov/100g - may be useful.

But as far as what you seek, you should look at conn.log and try to understand
it: read this page -- has pretty detailed info on connection record:

https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.bro.html

Hope this helps.

Aashish

Manoj_Petshali · July 18, 2019, 4:15am

Hi Aashish,

Thanks for knowledge sharing.
We will check the docs and will contact you as and when required.

Topic		Replies	Views
signatures: pros/cons, future plans for bro Zeek	2	89	May 6, 2022
Bro: a question regarding type Zeek	1	75	May 6, 2022
about Zeek	1	60	May 6, 2022
Bro Digest, Vol 101, Issue 4 Zeek	1	70	May 6, 2022
a quick doubt reg bro... Zeek	1	71	May 6, 2022

Query reagrding Bro Ids

Related topics