SBM Labs

Cyber Security Collaboration Project

Bro Network Security Monitor use cases
07 Feb 2015

We have examined how to install Bro framework for network traffic analysis earlier. Let's create several Bro scripts now in order to test its functionality.

You should send copy of network traffic from the hosts to Internet before NAT to Bro network interface.

1. Detect connections to attacker server.

We assume that target attack to the company infrastructure was detected. As a result the number of hosts were infected. Antivirus does not detect malware but attacker IP address (command center) was discovered and blocked by firewall. Now we are going to gather information about infected hosts using network traffic analysis.

We will use arbitrary external IP address for emulation of connection to attacker server.

Go to Bro folder.
# cd /opt/bro/share/bro/site/

Create new file.
# vi detect_malware.bro

Write script.
export {
redef enum Notice::Type += {
Malware_Detected,
};
}

event connection_established(c: connection) {
if ( c$id$resp_h == 178.32.28.120 && c$id$resp_p == 80/tcp )
{
NOTICE([$note=Malware_Detected,
$msg=fmt("Connection from %s to destination: %s", c$id$orig_h, c$id$resp_h),
$conn=c]);
}
}

Include script to Bro configuration.
# vi /opt/bro/share/bro/site/local.bro

Add script path to the file local.bro.
@load site/detect_malware

Enable Bro configuration.
# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exit

Emaulate connection.
# nc -v 178.32.28.120 80

Check log.
# less /var/opt/bro/logs/current/notice.log

2. Detect data leak.

We assume that there was detected data leak in Internet. Information was published on HTTP portal. We are going to detect insider.

Go to Bro folder.
$ cd /opt/bro/share/bro/site/

Create new file.
# vi detect_data_leak.bro

Write script.
module HTTP;

export {
const post_body_limit = 4096;
redef record Info += {
post_body: string &log &optional;
};
}

event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
{
if ( is_orig )
{
if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0, post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body, sub_bytes(data, 0, post_body_limit-|c$http$post_body|));
}
}

Include script to Bro configuration.
# vi /opt/bro/share/bro/site/local.bro

Add script path to the file local.bro.
@load site/detect_data_leak

Enable Bro configuration.
# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exit

Start browser and go to arbitrary HTTP site in order to check Bro script. Then publish comment or article.

Check log.
# less /var/opt/bro/logs/current/http.log

3. Detect attack to sites.

We are going to create Bro signature in order to detect simple SQL Injection.

Go to Bro folder.
# cd /opt/bro/share/bro/site/

Create new file.
# vi detect_sql_injection.sig

Write signature.
signature sql-sig {
ip-proto == tcp
dst-port == 80
http-request /.*union\+select.*/
event "SQL Injection detected"
}

Include signature to Bro configuration..
# vi /opt/bro/share/bro/site/local.bro

Add signature path to the file local.bro.
@load-sigs site/detect_sql_injection

Enable Bro configuration.
# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exit

Start browser and go to SBM Labs penetration laboratory. Execute SQL injection http://penlab.sbmlabs.com/sql_injection?company=test'+union+select+version(),null,'null.

Check log.
# less /var/opt/bro/logs/current/notice.log

Bro framework for network traffic analysis