bro-eyes

 

 

Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build a NIDS but is much more. Bro can also be used for collecting network measurements, conducting forensic investigations, traffic base lining and more. Bro has been compared to tcpdump, Snort, netflow, and Perl (or any other scripting language) all in one. It is released under the BSD license.

 

 

 
Bro can be conceptualized in two layers:

 

 

Bro Event Engine which analyzes live or recorded network traffic or trace files to generate neutral events.

 

Bro uses an engine (written in C++) to generate events when something happens. These happening can be triggered by the Bro process, such as just after the Bro process initializes or just before the Bro process terminates, as well as by something taking place on the network (or trace file) being analyzed, such as Bro witnessing an HTTP request or a new TCP connection. Bro uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to make a best guess at interpreting network protocols. Events are policy neutral in that they are not good or bad but simply signals to script land that something happened.

 

 

 

 

Bro Policy Scripts which analyze events to create action policies.

 

Events are handled from within Bro policy scripts (written in the Turing complete Bro scripting language). By default Bro simply logs information about events to files (Bro also supports logging events in binary output), however it can be configured to take other actions such as sending an email, raising an alert, executing a system command, updating an internal metric and even calling another Bro script. The default behavior produces netflow-like output (conn log) as well as application event information. Bro scripts are able to read in data from external files, such as blacklists, for use within Bro policy scripts.

 

 

 

 

Bro is not signature based. Instead, it was developed to be activity based with some support for anomaly detection. From the beginning, Bro has always been focused on connections instead of just packets.

 

 

 
In a way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An eventcould be a user logon to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that’s the Policy Script Interpreter. This policy engine has it’s own language ( Bro-Script ) and it can do some very powerful and versatile tasks.

 

 

 

 

 

 

 

Bro requires the following libraries and tools to be installed before you begin:

 

 

  • Libpcap
  • OpenSSL libraries
  • BIND8 library
  • Libmagic 5.04 or greater
  • Libz
  • Bash (for BroControl)
  • Python (for BroControl)

 

 

 

 

 

#yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel file-devel

 

 

 

Screenshot from 2014-05-06 15:45:44

 

 

 
Bro can make use of some optional libraries and tools if they are found at build time:

 

 

  • LibGeoIP (for geo-locating IP addresses)
  • sendmail (enables Bro and BroControl to send mail)
  • gawk (enables all features of bro-cut)
  • curl (used by a Bro script that implements active HTTP)
  • gperftools (tcmalloc is used to improve memory and CPU usage)
  • ipsumdump
  • Ruby executable, library, and headers (for Broccoli Ruby bindings

 

 

 

 

 

 
GeoIP Installation and Configuration:

 

 

MaxMind GeoIP is a collection of APIs for looking up the location of an IP address. There is a collection of free GeoLite databases, which are not as accurate as the GeoIP databases, but will do for starting out and testing with Bro. To setup GeoIP for use with Bro, please follow the commands below.

 

 
#cd /usr/local/src
#wget http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#gunzip -q GeoLiteCity.dat.gz
#mkdir -p /usr/local/share/GeoIP
#mv GeoLiteCity.dat /usr/local/share/GeoIP/GeoIPCity.dat
#wget http://www.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
#tar xzf GeoIP.tar.gz
#cd GeoIP-1.4.5
#./configure && make && make install

 

 

 

 

Screenshot from 2014-05-07 18:09:25

 

 

 

 
Google Perftools Installation and Configuration:

 

Google’s perftools is a collection of a high-performance multi-threaded malloc() implementation and some performance analysis tools. Google’s perftools have replaced mpatrol for leak-checking and heap-profiling. We will compile Bro with –enable-perftools

 

 

 

By default, perftools will install under /usr/local directory. With perftools compiled into Bro, there are two command-line options made available:

 

 

 
Option What the option controls

 

 

-m turns on leak checking of the main packet loop, with some uninteresting leaks are suppressed. Currently, with one exception (the RPC analyzer; problem not yet found), it reports no leaks when running the test suite.

 

 

-M turns on heap profiling: Bro will take a snapshot of the heap before starting the main packet loop and another one when finished.

 

 

 

 

 

To help with the installation of Google’s perftool, the ICSI Networking Group has written a post “Making Sure Your Bro Code Does Not Leak.” The post will provide additional information. The basic steps to install perftools are:

 

 
#cd /usr/local/src
#wget http://google-perftools.googlecode.com/files/google-perftools-0.99.2.tar.gz
#tar xzf google-perftools-0.99.2.tar.gz
#cd google-perftools-0.99.2
#./configure && make && make install
#export LDFLAGS=-L/usr/local/lib
#export CFLAGS=-I/usr/local/include
#export CPPFLAGS=-I/usr/local/include
#export LD_LIBRARY_PATH=/usr/local/lib

 

 

 

Screenshot from 2014-05-07 18:11:59

 

 

 

 

 
Installing and Configuring  XML Analyzer:

 

 

The XML analyzer is highly-experimental code written by Tobias Kiesling. Installation of Xerces-C++ and XQilla is required to use the XML analyzer. The code allows you to be able to easily adjust analysis capabilities to specific XML data formats. Xerces-C++ is a validating XML parser written in a portable subset of C++. XQilla is an XQuery and XPath 2 library and command line utility written in C++.

 

 

 

 

#cd /usr/local/src
#wget http://kaz.dl.sourceforge.net/project/xqilla/xqilla/2.3.0/XQilla-2.3.0.tar.gz
#wget http://mirror.reverse.net/pub/apache//xerces/c/3/binaries/xerces-c-3.1.1-x86_64-linux-gcc-3.4.tar.gz
#md5sum xerces-c-3.1.1-x86_64-linux-gcc-3.4.tar.gz
#tar xzf xerces-c-3.1.1-x86_64-linux-gcc-3.4.tar.gz
#tar xzf XQilla-2.3.0.tar.gz
#ln -s XQilla-2.3.0 xqilla
#cd xerces-c-3.1.1
#patch -p1 < ../xqilla/src/xercesc_content_type.patch
#patch -p1 <../xqilla/src/xercesc_regex.patch
#export XERCESCROOT=`pwd`
#cd src/xercesc
#runConfigure -plinux
#make
#make install

 

 

 

 
With Xerces-C++, configure and install XQilla.

 

#cd /usr/local/src/xqilla/
#./configure –with-xerces=`pwd`/../xerces-c-3.1.1/
#make
#make install

 

 

 

 

Screenshot from 2014-05-07 18:16:47

 

 

 

 

 
Installing and Configuring Bro:

 

 

 

The current version should be the most stable. To install, follow these commands:

 

#cd /usr/local/src
#wget http://www.bro.org/downloads/release/bro-2.2.tar.gz
#tar xzf bro-2.2.tar.gz
#cd bro-2.2
#./configure –enable-debug –enable-perftools –prefix=/usr/local/bro –with-xqilla
#make
#make install
#export PATH=/usr/local/bro/bin:$PATH

 

 

 

 

 

Bro File Structure:

 

 

Let’s jump into the Bro file structure.

 

 

#cd /usr/local/bro/
/usr/local/bro is our main install directory. Sometimes called $PREFIX

 

 

 

 

We have a few key places that are useful to know of :

 

 

$PREFIX/bin – the bro binaries – bro, bro-cut, broctl…

 

 

$PREFIX/share/bro: the base, broctl, magic, policy, and site directories – all of our bro runtime scripts are stored here. If we run bro from the cli – we need to specify anything else we want loaded in addition to base. (e.g. bro -r mypackets.trace protocols/ssl/validate-certs)

 

 

$PREFIX/share/bro/policy: these load when you run bro from broctl but otherwise have to be told to load (@load x)

 

 

$PREFIX/scripts: there are out of the box scripts that provide detection for things like SQLi, among other things

 

$PREFIX/etc: bro and broctl config files (configure networks/paths and other options)

 

$PREFIX/share/bro/local/ – the local node files – (a node is the local instance of Bro – more later – or read here.) any custom scripts you’d drop here since and tell local.bro to load them and any dependencies. Local configs are here also

 

 

 

 

 

 

 

Testing Bro:

 

 

So for our first script – we are going to use probably the most common event triggered in bro – a TCP connection.

 
#mkdir /usr/local/bro/tmp
#cd /usr/local/bro/tmp

 

 

#vi hello.bro

 

event connection_established(c:connection)
{
print fmt(“Hello Bro”);
}

 

:wq!

 

 
#bro -i eth0 hello.bro (eth0 is your network interface)

 

 

After you see a few Hello Bro’s print out – hit Ctl-C to stop bro.So everytime a new connection get’s established Bro will print Hello Bro.

 

 

 

Screenshot from 2014-05-06 16:40:45

 

 

 

 

 

 

 

Managing Bro with BroControl:

 

 

 

BroControl is an interactive shell for easily operating/managing Bro installations on a single system or even across multiple systems in a traffic-monitoring cluster.

 
These are the basic configuration changes to make for a minimal BroControl installation that will manage a single Bro instance on the localhost:

 

 

 

In $PREFIX/etc/node.cfg, set the right interface to monitor.

 

 

 

#vi   $PREFIX/etc/node.cfg

 

Screenshot from 2014-05-06 15:59:09

 

 
In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.

 

 

 

#vi   $PREFIX/etc/networks.cfg

 

Screenshot from 2014-05-06 15:59:37
 

 

In $PREFIX/etc/broctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.

 

 

 

#vi   $PREFIX/etc/broctl.cfg

 

 

Screenshot from 2014-05-06 16:00:14

 

Now start the BroControl shell like:

 

 

#broctl

 

 

Since this is the first-time use of the shell, perform an initial installation of the BroControl configuration:

 

 

#[BroControl]> install

 
Then start up a Bro instance:

 

 

#[BroControl]> start

 

 

 

 

Screenshot from 2014-05-06 16:00:55

 

 

 

I also recommend to insert the following entry into crontab:

 

 

#crontab -e

 

0-59/5 * * * * $PREFIX/bin/broctl cron

 

:wq!

 

 

 

Screenshot from 2014-05-06 16:02:02

 

 

 
This will perform a number of regular housekeeping tasks, including verifying that the process is still running.

 

 

 

 

 

 

Monitoring Live Traffic:

 

 
Analyzing live traffic from an interface is simple:

 

 

#bro -i eth0 <script to load>

 
eth0 can be replaced by the interface of your choice and for the list of scripts, you can just use “all” for now to perform all the default analysis that’s available.

 

 

 
#vi /usr/local/bro-2.2/share/bro/base/utils/site.bro

 
redef Site::local_nets += { 192.168.31.0/24 }

 

:wq!

 

 

 

Screenshot from 2014-05-06 17:10:18

 

 

 

 
Capturing packets from an interface and writing them to a file can be done like this:

 

 

#tcpdump -i eth0 -s 0 -w mypackets.trace

 

 

After a while of capturing traffic, kill the tcpdump (with ctrl-c), and tell Bro to perform all the default analysis on the capture which primarily includes.

 

 
#bro -C -r mypackets.trace

 

 

 
Bro will output log files into the working directory

 

 

If you are interested in more detection, you can again load the local script that we include as a suggested configuration:

 

 

#bro C -r mypackets.trace local

 

 

 

 

 

Screenshot from 2014-05-06 17:03:05

 

Screenshot from 2014-05-06 17:11:02

 

Upcoming  posts  i’ll explain that   how to analyse   Web Application  Attack  using   BRO IDS…