Threat Hunting with Bro IDS

Next Story

Threat Profile: Killer Swag

This post is a quick look at how I personally use Bro IDS for threat hunting. Specifically some of the queries I run when I start a hunt by data set. A quick note on Bro. Bro IDS is a pretty amazing piece of software for threat hunting and my go to tool of choice. Bro is essentially a protocol analyzer. Furthermore, simply feed it a PCAP file or live traffic and watch if parse out individual protocols such as SMTP, IRC, FTP, HTTP, and a million others in nice individual log files. When examining it’s log files you’ll see that Bro was able to turn that network traffic into useful metadata. And that “metadata” helps to provide us with context which is the key to finding potential threats quickly. A powerful feature to use when hunting is the “bro-cut” utility. Bro-cut saves me a ton of time when writing out my query strings. To get your feet wet with Bro check out the interactive Bro tutorial here: http://try.bro.org/#/?example=hello or if you just want to dive in head first like me then check out my post on installing the latest Bro release on Ubuntu 16 here:

How to Install Bro IDS 2.5 on Ubuntu 16.0x

Before showing you some of the queries here is a quick explanation of some of the Bro-cut options I find useful.

Useful Bro-cut Command Options:

-d convert the epoch time values in the log files to human-readable format.
-c to include a corresponding format header into the output, which allows to chain multiple bro-cut instances or perform further post-processing that evaluates the header information.
-u Converting the timestamp from a log file to UTC
DNS Log
cat dns.log | bro-cut query | sort -u
cat dns.log | bro-cut -d answers | sort -u
Here’s what typical response to “cat dns.log | bro-cut query | sort -u” would show. Clearly one of my clients has an unhealthy obsession with ToysRUs.
Bro-cut and sort on dns.log
“Bro-cut and Sort on dns.log” – Image 1
HTTP Log
bro-cut user_agent < http.log | sort -u
bro-cut mime_type < http.log | sort -u
cat http.log | bro-cut host | sort | uniq -c | sort -n | tail -n 10
cat http.log | bro-cut referrer | sort -u
Bro-cut HTTP Referrer Sort
“Bro-cut HTTP Referrer Sort” – Image 2
 SSL Log
cat ssl.log | bro-cut server_name, subject | sort -u
Bro-cut SSL ServerName Sort
“Bro-cut SSL ServerName Sort” – Image 3
Connection Log
cat conn.log | bro-cut -d ts uid host uri
cat conn.log | bro-cut service resp_bytes id.resp_h | sort -u
cat conn.log | bro-cut service id.resp_p id.resp_h | awk '$1 == "http" && ! ($2 == 80 || $2 == 8080) { print $3 }' | sort -u
cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration
cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5
cat conn.log | bro-cut service | sort | uniq -c | sort -n
Bro-cut Connection Log Service Sort
“Bro-cut Connection Log Service Sort” – Image 4
That’s just a few to get anyone new to threat hunting with Bro started. If you have any questions or comments feel free to berate me at @jamesbower