Using Bro: Field Notes

1
Using Bro Field Notes

• Aashish Sharma, James J. Barlow 
• NCSA

2
Bro Logs

• Logs are generated based on active policy files. 
• Connection Log
• http
• ftp
• irc
• http-malware
• alarm
• weird 
• smtp
• dns

3
Incident Response Steps

• Identification
• How do we know about incident ALERT ltgt
  alarm.log
•  Classification
• What kind of incident is this  ltAlert_IPgt  ltgt
  conn.log 
•  Tracing 
• Specific protocol used ltAttack_IPVictim_IPgt
  ltgt application logs http.log, smtp.log,
  dns.log, irc.log 
•  Timelines and forensics 
• Log co-relation
• Further investigations looking for instances of
  Attackers and Victim IP and locate other
  footprints in the logs 

4
Incident Reponse Identification 

• Find what IP address miscreants connected to  
• Find all IP address victim system connected to 
• Find if victim downloaded any malware/exploits
• Find any application layer exploit was involved
  (phpmyadmin etc) 
• Find how miscreants used the system (connect to
  irc servers, warez downloads/uploads) 

5
Alert

• Date Sat, 16 May 2009 033236 -0500 
• From root ltroot_at_brohostgt 
• To alert_at_example.com 
•  Subject Bro HTTP_HotClusterConn 
•  W.X.Y.Z/44619 gt 195.22.100.56/http 187538 GET
  /.0/ptrat.c

6
Connection Logs

• Example Logs
• 1253682062.132509 0.002565 114.94.143.217 W.X.Y.Z
  ftp 33880 21 tcp 0 110 SF X 1
• 1253682062.134151 0.000000 114.94.143.217 W.X.Y.Z
  other 33958 59916 tcp ? ? RSTOS0 X
• 1253682062.961178 0.246428 122.127.112.108
  W.X.Y.Z smtp 60419 25 tcp ? 88 RSTOS0 X
• 1253682063.141424 ? 167.205.22.105 W.X.Y.Z other
  62214 3128 tcp ? ? S0 X cc1
• Investigation 
• To determine connections history for attacker and
  victim
• grep ltip-addressgt conn.log 
•        

7
Looking into Connection Logs

• root_at_host 16 grep 195.22.100.56
  conn.log. 1242462756.251120 0.335540 W.X.Y.Z
  195.22.100.56 http 44619 80 tcp 132 2600 SF L
  187538 _at_f2-70ec-af6More human redable format -
  converting the timestamps root_at_host 16 grep
  195.22.100.56 conn.log. /usr/local/bro/bin/cf 
  May 16 033236 0.335540 W.X.Y.Z 195.22.100.56
  http 44619 80 tcp 132 2600 SF L 187538
  _at_f2-70ec-af6Interpret this output 1242462756.2
  51120 0.335540 W.X.Y.Z 195.22.100.56 http 44619
  80 tcp 132 2600 SF L 187538 _at_f2-70ec-af6timesta
  mp1242462756.251120 May 16 033236Source IP
  W.X.Y.Z Destination IP 195.22.100.56Protocol
  httpSource Port 44619 Destination Port 80Src
  Bytes 132Dst Bytes 2600 Session ID 187538

8
Searching the victim's connections from http
logs 

• root_at_host 16 grep W.X.Y.Z http.host.
• 1242462756.361757 187538 start W.X.Y.Z44619 gt
  195.22.100.5680        lt- Malicious Connection
• 1242499269.284229 639604 start W.X.Y.Z55529 gt
  209.132.176.12080
• 1242499269.519259 639607 start W.X.Y.Z52620 gt
  134.173.34.19680
• 1242499278.737825 639702 start W.X.Y.Z58699 gt
  80.239.156.21580
• 1242499281.621408 639723 start W.X.Y.Z55534 gt
  209.132.176.12080
• 1242499281.966075 639726 start W.X.Y.Z41315 gt
  128.61.111.980
• 1242499364.754369 640610 start W.X.Y.Z52628 gt
  134.173.34.19680
• 1242500609.551910 655947 start W.X.Y.Z36238 gt
  134.173.34.19680
• 1242501980.161757 682606 start W.X.Y.Z53559 gt
  134.173.34.19680
• Note
• Extract Session ID 187538 

9
HTTP Determinig malicious download

• Further looking at each of these log download
  history 
•  root_at_host 16 grep "187538" http.log 
• 1242462756.361757 187538 start W.X.Y.Z44619
  gt 195.22.100.5680
• 1242462756.472673 187538 GET /.0/ptrat.c (200
  "OK" 2286 server5.xuna.nl)
• Here we observe 
• Local Host W.X.Y.Z 
• Download ptrat.c exploit
• Remote host  195.22.100.56 
• Remote hostname server5.xuna.nl 
• Way to retrieve the file again wget
  http//server5.xuna.nl/.0/ptrat.c 
• Be aware 
•  

10
Other things to look for     

• DNS dns.bro 
• Mail smtp.bro 
• HTTP_MALWARE_DOWNLOAD  custom files
• New_IRC_Conn 

11
DNS Logs and alerts

• Watch for Sensitive Hosts 
•         const sensitive_lookup_hosts setaddr
  redef
•         const okay_to_lookup_sensitive_hosts
  setaddr redef
•         redef hostile_domain_list
  "baddomain.com",         
•         
• OK if zone transfers from certain address 
•         const zone_transfers_okay setaddr
  redef
•   
• Alert if bro see's other Zone Transfers 

12
HTTP_MALWARE_DOWNLOAD   

• Identify kind of file downloaded 
• Based on mime type 
• Malicious files 
• calculates md5 hash of downloaded file 
• compares that hash with know malware published
  HASH registry 
• t1247579974.942261 noHTTP_Malware
  naNOTICE_EMAIL saW.X.Y.Z sp3521/tcp
  da66.71.244.130 dp80/tcp methodGET
  urlhttp//www.hotlinkfiles.com/files/2662594_bmhd
  w/DSC_1810.jpg.scr msgW.X.Y.Z\ -gt\
  d7d32e5590baf81a57a640caddb5c25b\
  http//www.hotlinkfiles.com/files/2662594_bmhdw/DS
  C_1810.jpg.scr\ (hashed\ from\ the\ Team\ Cymru\
  malware\ hash\ registry) tag_at_c4-6f19-1b2d
• Above line contains 
• Source IP
• Destination IP
• URL from where download occoured 
• md5 hash of malware 

13
HOT_Cluster_Conn

• Local policy file 
• based on properties like 
• a web server, mail server, dns server shouldn't
  be downloading anything (with few exceptions like
  patches) 
• List of servers/important systems in your
  network 
• Monitors for downloads on those systems yes,
  all downloads, irrespective of files 
• customizations like 
• First 5, 10 downloads are individually alerted
  upon 
• Summry emails follow 
• ignore lists 

14
New_IRC_Conn

• Maintain a list of IRC connections 
• Highlight/alert on a new connection 
• highlight the destination IRC servers - example
  undernet 
• Helps catching bots on the network 
• Date Mon, 1 Oct 2009 170056 -0500 From root
  ltroot_at_brohostgt Toalerts_at_example.comSubject
  Bro NewIRCConn 
• Mon Oct 12 170056 2009 resolved.host.domain.edu
  W.X.Y.Z58515 lindbohm.it.su.se130.237.188.200
  6667
• Other alerts
• irchot_words "warez", redef              
                                                   
                                                

15
Scans    

• Scan.bro
• Alert for internal scans
• look for localhost scanning outbound networks
• outside scans 
• Find scan alert variables you can set 
• localhost-71bro grep const scan.bro  reduced
  list 
•     const suppress_scan_checks F redef     
• const suppress_UDP_scan_checks F redef
• const activate_priv_port_check T redef
• const activate_landmine_check F redef
• const landmine_thresh_trigger 5 redef
• const landmine_address setaddr redef
• const scan_summary_trigger 25 redef
• const port_summary_trigger 20 redef
• const lowport_summary_trigger 10 redef
• const shut_down_thresh 100 redef 
• const analyze_services setport redef
• const analyze_all_services T redef

16
Create other custom Alerts     

• Examples based on specific network properties
• Webserver/Cluster head node shouldn't be
  downloading anything (Except regular
  updates/patches)
• No host shall be connecting to Undernet  
• No host shall be sending gt 20 emails with in an
  hour ( except for mail-server)
• No internal host shall be scanning network (
  except for the ones permitted) 

17
Additional useful tips and tricks 

• cf utility - Converts unix timestamps into human
  readable form 
•  
• ls -l /usr/local/packages/bro/bro-1.4/aux/cf
• Example
• root_at_sleet 16  grep "187538 " http.log
  /usr/local/bro/bin/cf May 16 033236 187538
  start W.X.Y.Z44619 gt 195.22.100.5680May 16
  033236 187538 GET /.0/ptrat.c (200 "OK" 2286
  server5.xuna.nl)
• for each loop for more formated output 
• for a in ls -l awk 'print 9' -   grep
  http do echo a for b in grep  "
  ltip-addressgt" a grep start  awk 'print 2'
  -   do grep "b " a /usr/local/bro/bin/cf
    echo ""
  done done   less