Category Archives: Bro IDS

Threat Hunting with Bro IDS

This post is a quick look at how I personally use Bro IDS for threat hunting. Specifically some of the queries I run when I start a hunt by data set. A quick note on Bro. Bro IDS is a pretty amazing piece of software for threat hunting and my go to tool of choice. Bro is essentially a protocol analyzer. Furthermore, simply feed it a PCAP file or live traffic and watch if parse out individual protocols such as SMTP, IRC, FTP, HTTP, and a million others in nice individual log files. When examining it’s log files you’ll see that Bro was able to turn that network traffic into useful metadata. And that “metadata” helps to provide us with context which is the key to finding potential threats quickly. A powerful feature to use when hunting is the “bro-cut” utility. Bro-cut saves me a ton of time when writing out my query strings. To get your feet wet with Bro check out the interactive Bro tutorial here: http://try.bro.org/#/?example=hello or if you just want to dive in head first like me then check out my post on installing the latest Bro release on Ubuntu 16 here:

How to Install Bro IDS 2.5 on Ubuntu 16.0x

Before showing you some of the queries here is a quick explanation of some of the Bro-cut options I find useful.

Useful Bro-cut Command Options:

-d convert the epoch time values in the log files to human-readable format.
-c to include a corresponding format header into the output, which allows to chain multiple bro-cut instances or perform further post-processing that evaluates the header information.
-u Converting the timestamp from a log file to UTC
DNS Log
cat dns.log | bro-cut query | sort -u
cat dns.log | bro-cut -d answers | sort -u
Here’s what typical response to “cat dns.log | bro-cut query | sort -u” would show. Clearly one of my clients has an unhealthy obsession with ToysRUs.
Bro-cut and sort on dns.log
“Bro-cut and Sort on dns.log” – Image 1
HTTP Log
bro-cut user_agent < http.log | sort -u
bro-cut mime_type < http.log | sort -u
cat http.log | bro-cut host | sort | uniq -c | sort -n | tail -n 10
cat http.log | bro-cut referrer | sort -u
Bro-cut HTTP Referrer Sort
“Bro-cut HTTP Referrer Sort” – Image 2
 SSL Log
cat ssl.log | bro-cut server_name, subject | sort -u
Bro-cut SSL ServerName Sort
“Bro-cut SSL ServerName Sort” – Image 3
Connection Log
cat conn.log | bro-cut -d ts uid host uri
cat conn.log | bro-cut service resp_bytes id.resp_h | sort -u
cat conn.log | bro-cut service id.resp_p id.resp_h | awk '$1 == "http" && ! ($2 == 80 || $2 == 8080) { print $3 }' | sort -u
cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration
cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5
cat conn.log | bro-cut service | sort | uniq -c | sort -n
Bro-cut Connection Log Service Sort
“Bro-cut Connection Log Service Sort” – Image 4
That’s just a few to get anyone new to threat hunting with Bro started. If you have any questions or comments feel free to berate me at @jamesbower

How to Install Bro IDS 2.5 on Ubuntu 16.0x

I decided to write out the steps I took to for installing Bro IDS 2.5 on Ubuntu 16.0x. Before we begin installing Bro from source we need to make sure we have all the correct dependencies.

On Ubuntu 16.0x you can run the following:

sudo apt-get install cmake make gcc g++ flex git bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Installing Notifications
In order to get notification emails from Bro we’ll install Sendmail

sudo apt-get install sendmail

Installing GeoIP
Having GeoIP on your Bro box is a great addition.

sudo apt-get install libgeoip-dev
sudo chown -R sniper:sniper /usr/share/GeoIP/
cd /usr/share/GeoIP/
mv GeoIP.dat GeoIP.dat.old
mv GeoIPv6.dat GeoIPv6.dat.old
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz
mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCityv6.dat

Installing IPSumDump

wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz
gunzip ipsumdump-1.85.tar.gz
tar -xvf ipsumdump-1.85.tar
cd ipsumdump-1.85/
./configure
make
sudo make install

Installing GPerftools

sudo apt-get install libgoogle-perftools-dev

Installing PF_Ring

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel/
make && sudo make install
cd ../userland/lib
./configure --prefix=/opt/pfring
sudo make install
cd ../libpcap
./configure --prefix=/opt/pfring
sudo make install
cd ../tcpdump
./configure --prefix=/opt/pfring
sudo make install
sudo ldconfig
sudo modprobe pf_ring

To check if you have everything you need, enter:

modinfo pf_ring && cat /proc/net/pf_ring/info

Installing Bro from Source

git clone --recursive git://git.bro.org/bro
cd bro
./configure --with-pcap=/opt/pfring
make
sudo make install

Make sure that Bro is configured to use PF_Ring

ldd /usr/local/bro/bin/bro | grep pcap
Bro IDS Image 1 - Confirming Pfring Installation
Bro IDS Image 1 – Confirming Pfring Installation

Now adjust your PATH environment

export PATH=/usr/local/bro/bin:$PATH
echo 'export PATH=/usr/local/bro/bin:$PATH' >> ~/.bashrc

Now to test that GeoIP is working.

bro -e "print lookup_location(8.8.8.8);"

[country_code=US, region=CA, city=Mountain View, latitude=37.384499, longitude=-122.088097]

Configuring Bro
Next we need to configure Bro

The first step is letting Bro know which interface it needs to monitor.

sudo nano /usr/local/bro/etc/node.cfg
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0

Running Broctl

broctl

(I got the below error message concerning permissions since I was running as a non-root user.)

Bro IDS Image 2 – Local User Permission Error
Bro IDS Image 2 – Local User Permission Error

So I modified the permissions with “chown”.

sudo chown -R sniper:sniper /usr/local/bro/spool/
sudo chown -R sniper:sniper /usr/local/bro/logs/
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/broctl
Bro IDS Image 3 – Running Bro
Bro IDS Image 3 – Running Bro

 

Now we just need to start Bro

broctl

[BroControl] >install
[BroControl] >status

Bro IDS Image 4 – Checking Bro Status
Bro IDS Image 4 – Checking Bro Status

And we’re in business.