-
Setup VM
-
COPY files from stick to USB
-
Install VirtualBox & VirtualBox Extensions
-
Uncompress files- 7-zip on Windows, "The Unarchiver" on Mac
-
logon bro/bro
-
Class files, either:
-
/home/bro/training/
-
What is Bro?
-
Bro is a language first
-
Event-driven
-
Built-in variables like IP address and time interval are designed for network analysis
-
Built-in functions can be implemented in C++ for speed and integration with other tools
-
A Tour of the Bro logs
-
Run Bro against a PCAP (e.g. /opt/TrafficSamples/faf-traffic.pcap)
-
Go through some of the logs (e.g. cat files.log | colorize)
-
SSL/TLS
-
Exercise: bro -C -r rsasnakeoil2.cap
-
Exercise: bro -r basic-gmail.pcap
-
HTTP Auth
-
Exercise:
bro -C -r http-auth.pcap(pcap) -
Exercise:
bro -C -r http-auth.pcap http-auth.bro(script) -
bro-cut
-
Exercise:
bro -C -r http-basic-auth-multiple-failures.pcap -
What is the count of the distinct status_code:
cat http.log | bro-cut status_code | sort | uniq -c | sort -n -
What were the status codes by username?
-
Sumstats Introduction
-
What is sumstats
-
Review FTP Bruteforcing
-
Review the previous exercise- can we apply this model to detect http basic auth bruteforcing? Suggest some methods.
-
Based on the previous example can you implement a solution? For bruteforcers? For the bruteforced?
-
Execute both detections:
bro -C -r http-basic-auth-multiple-failures.pcap detect-http-basic-auth-bruteforcer.bro detect-http-basic-auth-server-bruteforced.bro -
Discuss derivations and improvements- tracking by ASN, remote subnet, whitelisting, blacklisting
-
Additional Demonstrations of the same technique.
-
Notice Framework
-
Exercise:
bro -r 01_emailing_simple.bro synscan.pcap -
Exercise:
bro -r 02_emailing_complex.bro synscan.pcap -
Exercise:
bro -r 03_avoid_some_scanners.bro synscan.pcap -
Exercise:
bro -r 04_create_a_new_notice.bro mbam_download.trace -
Walk-through
05_create_an_action.bro -
Intel Framework
-
Exercise 1: Create An Intel File
-
Exercise 2: Notice on Intel Hits
-
Exercise 3: Notice on Spcific Types of Intel Hits
-
Files Framework
-
File extraction demo 1. Extract files:
bro -r /opt/TrafficSamples/exercise-traffic.pcap extract-all-files.bro2. Show files:nautilus extract_files/3. Play a video: ```totem "extract_files/"`ls -S1 extract_files | head -n 1```` -
Writing a script, beginging with the template, can you generate a notice on a specific file type? 1.
01_notice_on_mimetype_shell.bro2. Solution:01_notice_on_mimetype.bro -
Running the script:
bro -r /opt/TrafficSamples/faf-traffic.pcap 01_notice_on_mimetype.bro -
Walk-through
02_run_exiftool.bro1. Install exiftool.log
mkdir exiftool
cd exiftool/
wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.43.tar.gz
tar -xzf Image-ExifTool-9.43.tar.gz
- Modify
02_run_exiftool.browith the correct path:/home/bro/training/files-framework/exiftool/Image-ExifTool-9.43 - Run
bro -r /opt/TrafficSamples/faf-traffic.pcap 02_run_exiftool.bro - Examine exiftool.log
- ICS
- Let's start by looking at the Bro default modbus.log; let's replay some traffic
bro -r modbus.pcap local - What does the modbus.log show?
- It would be nice to have a simple listing of all of modbus pairs for documenting master/slaves; fortunately Bro includes a policy file to perform this for you. From ~/training/modbus/known_modbus
bro -C -r ../modbus.pcap /opt/bro/share/bro/policy/protocols/modbus/known-masters-slaves.bro - It would be nice to have some additional detail about the ICS traffic we are seeing on the network. From ~/training/modbus/dump_registers
bro -r ../modbus.pcap /opt/bro/share/bro/policy/protocols/modbus/track-memmap.bro - What are the most frequently accessed registers?
- Inspect the script
rogue_modbus.bro- what does it do? - From ~/training/modbus/rogue_modbus let's go ahead and test it:
bro -r ../modbus.pcap local ../rogue_modbus.bro - Inspect the script
modbus_master_slave_pairs.bro- what does it do? - From ~/training/modbus/discovered_modbus_pair let's execute the script
bro -r ../modbus.pcap local ../modbus_master_slave_pairs.bro - Demonstration & Discussion
- Signature Framework
- Exercise:
bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local - With file extraction:
bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap site/local.bro extract-all-files.bro - Analyze requests/responses:
for i in `bro-grep info.asp http.log | bro-cut orig_fuids resp_fuids | sed -e 's/\t/\n/' | grep -v '-'`; do cat "extract_files/extract-HTTP-$i"; echo; echo "-------"; done - blackhole-medfos
1. Let's get started with a couple of warm up exercises. Blackhole is one of the most common and frequently updated exploit kits around. Let's see what they look like with Bro's new File Analysis Framework.
2. How many executable files were downloaded to the host?
3.
bro -r /opt/PCAPS_TRAFFIC_PATTERNS/CRIME/blackhole-medfos EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap local4. How many executable files were downloaded? 5.less files.log | grep "application" | wc -l6. What notices were fired? 7.less notice.log5-smokekt150 1. We have Bro identifying signatures in ports and protocols that it understands; in this example, we are going to have Bro key on a specific protocol related feature. 2. Let's replay the sample with Bro:bro -r /opt/PCAPS_TRAFFIC_PATTERNS/CRIME/EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local3. Explore the log files; I see a number of potential canidates for items we could fire on. Let's look a little deeper. Take a look at the specified .bro file; what are we doing here? Let's replay the pcap extracting header names and values. script 4. Now let's investigate the http.log a little further. Lets look a little closer at those http header values: 5.less http.log | bro-cut server_header_names server_header_values
This content type looks a little weird to me..
text/html; charset=win-1251
What is that?
http://en.wikipedia.org/wiki/Windows-1251
Windows-1251 (a.k.a. code page CP1251) is a popular 8-bit character encoding, designed to cover languages that use the Cyrillic script such as Russian, Bulgarian, Serbian Cyrillic and other languages. It is the most widely used for encoding the Bulgarian, Serbian and Macedonian languages
Is that normal for our environment? Let's see if we can match on that.
@load base/protocols/http/main
@load base/frameworks/notice
module HTTP;
export {
redef enum Notice::Type += {
## raised once per host per 10 min
Bad_Header
};
global bad_header: set[addr] &create_expire = 10 min;
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
{
if ( name == "CONTENT-TYPE" && value == "text/html; charset=win-1251" )
{
if ( c$id$orig_h !in bad_header )
{
add bad_header[c$id$orig_h];
NOTICE([$note=HTTP::Bad_Header,
$msg=fmt("Bad header \"%s\" seen in %s", value,c$uid),
$sub=name,
$conn=c,
$identifier=fmt("%s", c$id$orig_h)]);
print fmt("%s :name:value: %s:%s",c$uid,name,value);
}
}
}This code is overly simple; every time we see an http header key pair this event fires. We simply look the event and are checking specifically for the Cyrillic language.
Did you count how many times this header pair was transmitted in the sample? Here we are thresholding the notice with a global variable called "bad header"; and we time hosts out using the &create_expire = 10 . global bad_header: set[addr] &create_expire = 10 min;
Let's go ahead and replay the sample using our new detector.
bro -r EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local ../solutions/match-headers.bro
You should now see a thresholded alert in the notice.log.