Skip to content

Latest commit

 

History

History
158 lines (139 loc) · 9.08 KB

README.md

File metadata and controls

158 lines (139 loc) · 9.08 KB

2013-12 Bro Training Syllabus:

  1. Setup VM

  2. COPY files from stick to USB

  3. Install VirtualBox & VirtualBox Extensions

  4. Uncompress files- 7-zip on Windows, "The Unarchiver" on Mac

  5. logon bro/bro

  6. Class files, either:

  7. /home/bro/training/

  8. What is Bro?

  9. Bro is a language first

  10. Event-driven

  11. Built-in variables like IP address and time interval are designed for network analysis

  12. Built-in functions can be implemented in C++ for speed and integration with other tools

  13. A Tour of the Bro logs

  14. Run Bro against a PCAP (e.g. /opt/TrafficSamples/faf-traffic.pcap)

  15. Go through some of the logs (e.g. cat files.log | colorize)

  16. SSL/TLS

  17. Exercise: bro -C -r rsasnakeoil2.cap

  18. Exercise: bro -r basic-gmail.pcap

  19. HTTP Auth

  20. Exercise: bro -C -r http-auth.pcap (pcap)

  21. Exercise: bro -C -r http-auth.pcap http-auth.bro (script)

  22. bro-cut

  23. Exercise: bro -C -r http-basic-auth-multiple-failures.pcap

  24. What is the count of the distinct status_code: cat http.log | bro-cut status_code | sort | uniq -c | sort -n

  25. What were the status codes by username?

  26. Sumstats Introduction

  27. What is sumstats

  28. Review FTP Bruteforcing

  29. Review the previous exercise- can we apply this model to detect http basic auth bruteforcing? Suggest some methods.

  30. Based on the previous example can you implement a solution? For bruteforcers? For the bruteforced?

  31. Review HTTP Basic Auth Brute Forcer Solution

  32. Review HTTP Basic Auth Server Brute Forced Solution

  33. Execute both detections: bro -C -r http-basic-auth-multiple-failures.pcap detect-http-basic-auth-bruteforcer.bro detect-http-basic-auth-server-bruteforced.bro

  34. Discuss derivations and improvements- tracking by ASN, remote subnet, whitelisting, blacklisting

  35. Additional Demonstrations of the same technique.

  36. Notice Framework

  37. Exercise: bro -r 01_emailing_simple.bro synscan.pcap

  38. Exercise: bro -r 02_emailing_complex.bro synscan.pcap

  39. Exercise: bro -r 03_avoid_some_scanners.bro synscan.pcap

  40. Exercise: bro -r 04_create_a_new_notice.bro mbam_download.trace

  41. Walk-through 05_create_an_action.bro

  42. Intel Framework

  43. Exercise 1: Create An Intel File

  44. Exercise 2: Notice on Intel Hits

  45. Exercise 3: Notice on Spcific Types of Intel Hits

  46. Files Framework

  47. File extraction demo 1. Extract files: bro -r /opt/TrafficSamples/exercise-traffic.pcap extract-all-files.bro 2. Show files: nautilus extract_files/ 3. Play a video: ```totem "extract_files/"`ls -S1 extract_files | head -n 1````

  48. Writing a script, beginging with the template, can you generate a notice on a specific file type? 1. 01_notice_on_mimetype_shell.bro 2. Solution: 01_notice_on_mimetype.bro

  49. Running the script: bro -r /opt/TrafficSamples/faf-traffic.pcap 01_notice_on_mimetype.bro

  50. Walk-through 02_run_exiftool.bro 1. Install exiftool.log

mkdir exiftool
cd exiftool/
wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.43.tar.gz
tar -xzf Image-ExifTool-9.43.tar.gz
  1. Modify 02_run_exiftool.bro with the correct path: /home/bro/training/files-framework/exiftool/Image-ExifTool-9.43
  2. Run bro -r /opt/TrafficSamples/faf-traffic.pcap 02_run_exiftool.bro
  3. Examine exiftool.log
  4. ICS
  5. Let's start by looking at the Bro default modbus.log; let's replay some traffic bro -r modbus.pcap local
  6. What does the modbus.log show?
  7. It would be nice to have a simple listing of all of modbus pairs for documenting master/slaves; fortunately Bro includes a policy file to perform this for you. From ~/training/modbus/known_modbus bro -C -r ../modbus.pcap /opt/bro/share/bro/policy/protocols/modbus/known-masters-slaves.bro
  8. It would be nice to have some additional detail about the ICS traffic we are seeing on the network. From ~/training/modbus/dump_registers bro -r ../modbus.pcap /opt/bro/share/bro/policy/protocols/modbus/track-memmap.bro
  9. What are the most frequently accessed registers?
  10. Inspect the script rogue_modbus.bro- what does it do?
  11. From ~/training/modbus/rogue_modbus let's go ahead and test it: bro -r ../modbus.pcap local ../rogue_modbus.bro
  12. Inspect the script modbus_master_slave_pairs.bro- what does it do?
  13. From ~/training/modbus/discovered_modbus_pair let's execute the script bro -r ../modbus.pcap local ../modbus_master_slave_pairs.bro
  14. Demonstration & Discussion
  15. Signature Framework
  16. Exercise: bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local
  17. With file extraction: bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap site/local.bro extract-all-files.bro
  18. Analyze requests/responses: for i in `bro-grep info.asp http.log | bro-cut orig_fuids resp_fuids | sed -e 's/\t/\n/' | grep -v '-'`; do cat "extract_files/extract-HTTP-$i"; echo; echo "-------"; done
  19. blackhole-medfos 1. Let's get started with a couple of warm up exercises. Blackhole is one of the most common and frequently updated exploit kits around. Let's see what they look like with Bro's new File Analysis Framework. 2. How many executable files were downloaded to the host? 3. bro -r /opt/PCAPS_TRAFFIC_PATTERNS/CRIME/blackhole-medfos EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap local 4. How many executable files were downloaded? 5. less files.log | grep "application" | wc -l 6. What notices were fired? 7. less notice.log 5-smokekt150 1. We have Bro identifying signatures in ports and protocols that it understands; in this example, we are going to have Bro key on a specific protocol related feature. 2. Let's replay the sample with Bro: bro -r /opt/PCAPS_TRAFFIC_PATTERNS/CRIME/EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local 3. Explore the log files; I see a number of potential canidates for items we could fire on. Let's look a little deeper. Take a look at the specified .bro file; what are we doing here? Let's replay the pcap extracting header names and values. script 4. Now let's investigate the http.log a little further. Lets look a little closer at those http header values: 5. less http.log | bro-cut server_header_names server_header_values

This content type looks a little weird to me..

		text/html; charset=win-1251

What is that?

http://en.wikipedia.org/wiki/Windows-1251
	Windows-1251 (a.k.a. code page CP1251) is a popular 8-bit character encoding, designed to cover languages that use the Cyrillic script such as Russian, Bulgarian, Serbian Cyrillic and other languages. It is the most widely used for encoding the Bulgarian, Serbian and Macedonian languages

Is that normal for our environment? Let's see if we can match on that.

@load base/protocols/http/main
@load base/frameworks/notice

module HTTP;
 
export {
	redef enum Notice::Type += {
		## raised once per host per 10 min
		Bad_Header
	};

	global bad_header: set[addr] &create_expire = 10 min;
}
 
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
  {
     if ( name == "CONTENT-TYPE" && value == "text/html; charset=win-1251" )
     {	
	 if ( c$id$orig_h !in bad_header )
	 {
		add bad_header[c$id$orig_h];
		NOTICE([$note=HTTP::Bad_Header,
		 $msg=fmt("Bad header \"%s\" seen in %s", value,c$uid),
		 $sub=name,
		 $conn=c,
		 $identifier=fmt("%s", c$id$orig_h)]);
		

		print fmt("%s :name:value:  %s:%s",c$uid,name,value);
	 }
     }
  }

This code is overly simple; every time we see an http header key pair this event fires. We simply look the event and are checking specifically for the Cyrillic language.

Did you count how many times this header pair was transmitted in the sample? Here we are thresholding the notice with a global variable called "bad header"; and we time hosts out using the &create_expire = 10 . global bad_header: set[addr] &create_expire = 10 min;

Let's go ahead and replay the sample using our new detector.

bro -r EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local  ../solutions/match-headers.bro 

You should now see a thresholded alert in the notice.log.