Automation for network security: BanHammer-ng and Brozilla

Automation for network security: BanHammer-ng and Brozilla

Anthony Verez


Questions: averez on #airmozilla and #security


  1. BanHammer-ng: blocking bad guys on Mozilla network banhammer-ng logo
  2. Brozilla: Intrusion Detection with Bro at Mozilla
Kudos to Jeff for the logo!

BanHammer-ng -- What?

  • Centralized system to block external IP addresses from the Mozilla network
  • Gets security events from our security logging system
  • Computes a score for each event and sum scores for each attacker
  • Notifications via IRC and emails depending on score thresholds
  • Allows an operator to apply suitable blocking mechanism

BanHammer-ng -- What?

Offender diagram

BanHammer-ng -- Why?

  • We didn't know where someone was blocked on our load balancers
  • Need to streamline the blocking workflow
  • Time consuming
  • Bad experience including for legitimate users (e.g: university proxy, NAT)
  • We wanted finer granularity for blacklists than the old BanHammer
  • Block only access to specified websites, usually not download/updates websites

BanHammer-ng -- How?

Worflow diagram

BanHammer-ng -- Demo

To sum up

  • System to give ability to operators to quickly block attackers
  • Fine-grained blocking mechanisms
  • Captive portal where suspicious visitors have to resolve a captcha
  • Code:

Network Security Monitoring (NSM)

  • Copy traffic to sensors for security inspection
  • Security Onion: Linux distribution for Network Security Monitoring
    • Snort: Rules-based Intrusion Detection System
                  alert any any -> any any
                  (flags: SF,12; msg: "Possible SYN FIN scan";)
    • CapMe: tool to search through network capture dumps
    • Bro: Framework and programming language to get information from traffic


Bro logo
  • Packet capture
  • Traffic inspection
  • Attack detection
  • Log recording
  • Scripting language
Bro logo design by DigiP

Moar Bro

opsec rack
  • Real-time analysis
  • You have to define what is an attack
  • Forensics
  • High speed: clusters for 40+ Gb/s

NSM -- Where Is That Box?

nsm architecture


  • Leverage Bro to detect attacks and security incidents on Mozilla network
  • Very early stage
  • What would we rather use Snort for?
    • Third party rules
    • Known suspicious hosts
    • Malware
    • Software vulnerabilities/exploit attempts


  • We plan to use Bro to detect
    • SSL negotiations network-wide
    • Sensitive information exchanged using plaintext protocols
    • Unauthorized scans
    • Outdated version of software (think Java plugin)
  • Conduct network forensics for incident response

NSM -- Log storage and visualization

Kibana Brownian
  • Storage
    • Files + awk
    • Elastic Search
  • Visualization on top of Elastic Search
    • ELSA
    • Kibana
    • Brownian


Red panda (Firefox) Photo by Yortw