Bro Network Security
Posted: Wed Aug 22, 2018 2:27 pm
The hardware, used both in the Internet of Things (IoT) and in the Industrial Control Systems (ICS), has many similarities; Both often include older systems that can not work with detection tools or monitoring agents due to outdated operating systems, resource constraints, proprietary systems, and strange protocols like Modbus and DNP3.
Lack of visibility in these enclaves means there is no way to determine whether and when ICS and / or IoT devices have been compromised until it is too late - but there is hope.
Bro's network security monitor is suitable for detecting such attacks.
The Bro's Network Security Monitor comes with built-in traffic monitoring scripts DNP3 and Modbus. These scripts make Gros excellent choice for detecting attacks on ICS networks. It also has the ability to monitor the typical traffic seen on Internet networks, such as HTTP, HTTPS, DNS, and many others.
The results of his analysis, not to mention any attacks that are detected, are recorded in log files on the local disk that can be collected and normalized by a log file management product such as Tripwire Log Center. Finally, threat intelligence can be added to network security monitoring or log management products to improve Bro data, providing additional analysis against known attack vectors.
Well, let's stop here with the description. Let's now create a few Bro scripts to test its functionality.
Detect links to the attacker's server.
We assume that a targeted attack on the company's infrastructure has been detected. As a result, the number of hosts is infected. Antivirus does not detect malware, but the IP address of the attack (Command Center) is detected and blocked by a firewall. We will now gather information about infected hosts using network traffic analysis.
We will use any external IP address to emulate the connection to the attacker's server.
Download link: https://www.bro.org/
Go to the Bro folder.
Create a new file now.
The script we are writing now is:
Once the script is written, turn it on for configuration Bro.
Add the path of the script to the local.bro file.
After adding the script path, activate the configuration of Bro.
Now let's run netcat.
Let's check the log
Detection of data leakage.
We assume that data leakage is detected on the Internet. The information was posted on the HTTP portal. We'll find insider information.
Go back to the Bro folder.
Create a new file.
Now we write the script.
Turn on the Bro configuration script.
Add the path of the script to the local.bro file.
Now activate the Bro configuration.
Launch the browser and go to any HTTP site to check the Bro. Then post a comment or article.
Let's see the log, what's going on.
Lack of visibility in these enclaves means there is no way to determine whether and when ICS and / or IoT devices have been compromised until it is too late - but there is hope.
Bro's network security monitor is suitable for detecting such attacks.
The Bro's Network Security Monitor comes with built-in traffic monitoring scripts DNP3 and Modbus. These scripts make Gros excellent choice for detecting attacks on ICS networks. It also has the ability to monitor the typical traffic seen on Internet networks, such as HTTP, HTTPS, DNS, and many others.
The results of his analysis, not to mention any attacks that are detected, are recorded in log files on the local disk that can be collected and normalized by a log file management product such as Tripwire Log Center. Finally, threat intelligence can be added to network security monitoring or log management products to improve Bro data, providing additional analysis against known attack vectors.
Well, let's stop here with the description. Let's now create a few Bro scripts to test its functionality.
Detect links to the attacker's server.
We assume that a targeted attack on the company's infrastructure has been detected. As a result, the number of hosts is infected. Antivirus does not detect malware, but the IP address of the attack (Command Center) is detected and blocked by a firewall. We will now gather information about infected hosts using network traffic analysis.
We will use any external IP address to emulate the connection to the attacker's server.
Download link: https://www.bro.org/
Go to the Bro folder.
Code: Select all
# cd /opt/bro/share/bro/site/Create a new file now.
Code: Select all
# vi detect_malware.broThe script we are writing now is:
Code: Select all
export {
redef enum Notice::Type += {
Malware_Detected,
};
}
event connection_established(c: connection) {
if ( c$id$resp_h == 178.32.28.120 && c$id$resp_p == 80/t***** )
{
NOTICE([$note=Malware_Detected,
$msg=fmt("Connection from %s to destination: %s", c$id$orig_h, c$id$resp_h),
$conn=c]);
}
}Once the script is written, turn it on for configuration Bro.
Code: Select all
# vi /opt/bro/share/bro/site/local.broAdd the path of the script to the local.bro file.
Code: Select all
@load site/detect_malwareAfter adding the script path, activate the configuration of Bro.
Code: Select all
# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exitNow let's run netcat.
Code: Select all
nc -v 178.32.28.120 80Let's check the log
Code: Select all
# less /var/opt/bro/logs/current/notice.log- dm*****RDx.png (35.53 KiB) Viewed 20565 times
Detection of data leakage.
We assume that data leakage is detected on the Internet. The information was posted on the HTTP portal. We'll find insider information.
Go back to the Bro folder.
Code: Select all
$ cd /opt/bro/share/bro/site/Create a new file.
Code: Select all
# vi detect_data_leak.broNow we write the script.
Code: Select all
module HTTP;
export {
const post_body_limit = 4096;
redef record Info += {
post_body: string &log &optional;
};
}
event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
{
if ( is_orig )
{
if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0, post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body, sub_bytes(data, 0, post_body_limit-|c$http$post_body|));
}
}Turn on the Bro configuration script.
Code: Select all
# vi /opt/bro/share/bro/site/local.broAdd the path of the script to the local.bro file.
Code: Select all
@load site/detect_data_leakNow activate the Bro configuration.
Code: Select all
# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exitLaunch the browser and go to any HTTP site to check the Bro. Then post a comment or article.
Let's see the log, what's going on.
Code: Select all
# less /var/opt/bro/logs/current/http.log- c3MwHA7.png (57.02 KiB) Viewed 20565 times