Bro Network Security

Tools
User avatar
mouse
Posts: 21
Joined: Sun Nov 12, 2017 4:49 pm

Bro Network Security

Postby mouse » Wed Aug 22, 2018 2:27 pm

The hardware, used both in the Internet of Things (IoT) and in the Industrial Control Systems (ICS), has many similarities; Both often include older systems that can not work with detection tools or monitoring agents due to outdated operating systems, resource constraints, proprietary systems, and strange protocols like Modbus and DNP3.

Lack of visibility in these enclaves means there is no way to determine whether and when ICS and / or IoT devices have been compromised until it is too late - but there is hope.

Bro's network security monitor is suitable for detecting such attacks.

The Bro's Network Security Monitor comes with built-in traffic monitoring scripts DNP3 and Modbus. These scripts make Gros excellent choice for detecting attacks on ICS networks. It also has the ability to monitor the typical traffic seen on Internet networks, such as HTTP, HTTPS, DNS, and many others.

The results of his analysis, not to mention any attacks that are detected, are recorded in log files on the local disk that can be collected and normalized by a log file management product such as Tripwire Log Center. Finally, threat intelligence can be added to network security monitoring or log management products to improve Bro data, providing additional analysis against known attack vectors.

Well, let's stop here with the description. Let's now create a few Bro scripts to test its functionality.

 

Detect links to the attacker's server.
We assume that a targeted attack on the company's infrastructure has been detected. As a result, the number of hosts is infected. Antivirus does not detect malware, but the IP address of the attack (Command Center) is detected and blocked by a firewall. We will now gather information about infected hosts using network traffic analysis.
We will use any external IP address to emulate the connection to the attacker's server.

Download link: https://www.bro.org/

Go to the Bro folder.

Code: Select all

# cd /opt/bro/share/bro/site/


Create a new file now.

Code: Select all

# vi detect_malware.bro


The script we are writing now is:

Code: Select all

export {
redef enum Notice::Type += {
Malware_Detected,
};
}
event connection_established(c: connection) {
if ( c$id$resp_h == 178.32.28.120 && c$id$resp_p == 80/t***** )
{
NOTICE([$note=Malware_Detected,
$msg=fmt("Connection from %s to destination: %s", c$id$orig_h, c$id$resp_h),
$conn=c]);
}
}


Once the script is written, turn it on for configuration Bro.

Code: Select all

# vi /opt/bro/share/bro/site/local.bro


Add the path of the script to the local.bro file.

Code: Select all

@load site/detect_malware


After adding the script path, activate the configuration of Bro.

Code: Select all

# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exit


Now let's run netcat.

Code: Select all

nc -v 178.32.28.120 80


Let's check the log

Code: Select all

# less /var/opt/bro/logs/current/notice.log


dm*****RDx.png
dm*****RDx.png (35.53 KiB) Viewed 20564 times


Detection of data leakage.
We assume that data leakage is detected on the Internet. The information was posted on the HTTP portal. We'll find insider information.

Go back to the Bro folder.

Code: Select all

$ cd /opt/bro/share/bro/site/


Create a new file.

Code: Select all

# vi detect_data_leak.bro


Now we write the script.

Code: Select all

module HTTP;
export {
const post_body_limit = 4096;
redef record Info += {
post_body: string &log &optional;
};
}
event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
{
if ( is_orig )
{
if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0, post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body, sub_bytes(data, 0, post_body_limit-|c$http$post_body|));
}
}


Turn on the Bro configuration script.

Code: Select all

# vi /opt/bro/share/bro/site/local.bro


Add the path of the script to the local.bro file.

Code: Select all

@load site/detect_data_leak


Now activate the Bro configuration.

Code: Select all

# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exit


Launch the browser and go to any HTTP site to check the Bro. Then post a comment or article.

Let's see the log, what's going on.

Code: Select all

# less /var/opt/bro/logs/current/http.log


c3MwHA7.png
c3MwHA7.png (57.02 KiB) Viewed 20564 times

User avatar
driveby
Posts: 13
Joined: Wed Aug 22, 2018 3:20 pm

Re: Bro Network Security

Postby driveby » Sat Oct 27, 2018 11:14 pm

wow thanks man that's a lot of useful info

User avatar
casio
Posts: 28
Joined: Fri Aug 25, 2017 12:01 pm

Re: Bro Network Security

Postby casio » Fri Nov 02, 2018 9:28 pm

thanks great info

User avatar
Warnertriek
Posts: 3
Joined: Fri Dec 21, 2018 9:14 pm
Location: Panama
Contact:

Bro Network Security

Postby Warnertriek » Thu Jan 17, 2019 5:27 pm

What operating system does this network require and how itll protect wireless network?


Return to “Tools”