Lack of visibility in these enclaves means there is no way to determine whether and when ICS and / or IoT devices have been compromised until it is too late - but there is hope.
Bro's network security monitor is suitable for detecting such attacks.
The Bro's Network Security Monitor comes with built-in traffic monitoring scripts DNP3 and Modbus. These scripts make Gros excellent choice for detecting attacks on ICS networks. It also has the ability to monitor the typical traffic seen on Internet networks, such as HTTP, HTTPS, DNS, and many others.
The results of his analysis, not to mention any attacks that are detected, are recorded in log files on the local disk that can be collected and normalized by a log file management product such as Tripwire Log Center. Finally, threat intelligence can be added to network security monitoring or log management products to improve Bro data, providing additional analysis against known attack vectors.
Well, let's stop here with the description. Let's now create a few Bro scripts to test its functionality.
Detect links to the attacker's server.
We assume that a targeted attack on the company's infrastructure has been detected. As a result, the number of hosts is infected. Antivirus does not detect malware, but the IP address of the attack (Command Center) is detected and blocked by a firewall. We will now gather information about infected hosts using network traffic analysis.
We will use any external IP address to emulate the connection to the attacker's server.
Download link: https://www.bro.org/
Go to the Bro folder.
Code: Select all
# cd /opt/bro/share/bro/site/Create a new file now.
Code: Select all
# vi detect_malware.broThe script we are writing now is:
Code: Select all
export {
redef enum Notice::Type += {
Malware_Detected,
};
}
event connection_established(c: connection) {
if ( c$id$resp_h == 178.32.28.120 && c$id$resp_p == 80/t***** )
{
NOTICE([$note=Malware_Detected,
$msg=fmt("Connection from %s to destination: %s", c$id$orig_h, c$id$resp_h),
$conn=c]);
}
}Once the script is written, turn it on for configuration Bro.
Code: Select all
# vi /opt/bro/share/bro/site/local.broAdd the path of the script to the local.bro file.
Code: Select all
@load site/detect_malwareAfter adding the script path, activate the configuration of Bro.
Code: Select all
# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exitNow let's run netcat.
Code: Select all
nc -v 178.32.28.120 80Let's check the log
Code: Select all
# less /var/opt/bro/logs/current/notice.log- dm*****RDx.png (35.53 KiB) Viewed 20562 times
Detection of data leakage.
We assume that data leakage is detected on the Internet. The information was posted on the HTTP portal. We'll find insider information.
Go back to the Bro folder.
Code: Select all
$ cd /opt/bro/share/bro/site/Create a new file.
Code: Select all
# vi detect_data_leak.broNow we write the script.
Code: Select all
module HTTP;
export {
const post_body_limit = 4096;
redef record Info += {
post_body: string &log &optional;
};
}
event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
{
if ( is_orig )
{
if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0, post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body, sub_bytes(data, 0, post_body_limit-|c$http$post_body|));
}
}Turn on the Bro configuration script.
Code: Select all
# vi /opt/bro/share/bro/site/local.broAdd the path of the script to the local.bro file.
Code: Select all
@load site/detect_data_leakNow activate the Bro configuration.
Code: Select all
# broctl
[BroControl] > stop
[BroControl] > install
[BroControl] > start
[BroControl] > exitLaunch the browser and go to any HTTP site to check the Bro. Then post a comment or article.
Let's see the log, what's going on.
Code: Select all
# less /var/opt/bro/logs/current/http.log- c3MwHA7.png (57.02 KiB) Viewed 20562 times