Tuesday, 10 October 2017

Using Bro Threat intelligence framework

** Download a malicious pcap from internet, say, sample1.pcap

** Ensure that you have installed bro correctly and bro intelligence frameworks is present with required modules(Minimum version of bro - 2.4 or greater)

[root@ joshi]# ls -l /usr/local/bro/share/bro/policy/frameworks/intel/
do_notice.bro  seen/
If you want to see if intelligence framework scripts are loaded or not at runtime, kindly look in loaded_scripts.log

** Create a intelligence feed file manually, say, intel1.dat:
(Please note that the separator is TAB and not spaces for columns in the file.)

[root@ joshi]# cat intel1.txt
#fields indicator       indicator_type  meta.source     meta.url        meta.do_notice
172.16.88.10    Intel::ADDR     ciarmy  http://www.ciarmy.com/list/ci-badguys.txt       T


** Create a file: intel.bro in say - /home/joshi with the following contents:

# intelligence framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
    "/home/joshi/intel1.txt"
};

Another variation:
[root@ joshi]# cat intel1.bro
# intelligence framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
#    "/home/joshi/intel1.txt"
 @DIR + "/intel1.txt",
};

Now, run bro to make use of "intel1.bro" for finding any malicious connections in the pcap.

[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap intel1.bro


If you wish, you can also add the above lines to site policy script(local.bro) under /usr/local/bro/share/bro/site/local.bro instead of intel1.bro

By default, the logs will be created in the current directory.

To run local script based on site policy(local.bro):
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap local

[root@ joshi]# ls -l *.log
-rw-r--r-- 1 root root 60758 Oct  5 17:38 conn.log
-rw-r--r-- 1 root root     0 Oct  5 17:38 debug.log
-rw-r--r-- 1 root root 25454 Oct  5 17:38 dns.log
-rw-r--r-- 1 root root  3736 Oct  5 17:38 http.log
-rw-r--r-- 1 root root  1547 Oct  5 17:38 intel.log
-rw-r--r-- 1 root root 23896 Oct  5 17:36 loaded_scripts.log
-rw-r--r-- 1 root root  2690 Oct  5 17:38 notice.log
-rw-r--r-- 1 root root   253 Oct  5 17:38 packet_filter.log
-rw-r--r-- 1 root root   384 Oct  5 17:38 weird.log

[root@ joshi]# head intel.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   intel
#open   2017-10-05-17-38-26
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid file_mime_type   file_desc       seen.indicator  seen.indicator_type     seen.where      seen.node     sources
#types  time    string  addr    port    addr    port    string  string  string  string  enum enum     string  set[string]
1394196008.595180       CQRmeTHpuDAbRlDrf       172.16.88.10    49493   172.16.88.135   80   --       -       172.16.88.135   Intel::ADDR     Conn::IN_RESP   bro     ciarmy
1394196043.661031       Ch4sqx4DcNd8kxx5hj      172.16.88.10    49495   172.16.88.135   80   --       -       172.16.88.135   Intel::ADDR     Conn::IN_RESP   bro     ciarmy


Local networks on command line:
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap local "Site::local_nets += {10.0.0.0/8,192.168.0.0/16}"

Note: "-C" command line flag for bro is a MUST. I have to spend few hours to understand the behaviour and finally, it was discovered in bro faq(http://www.bro.org/documentation/faq.html)

It allows bro's event engine to process the packets event if packets don't have valid checksums.

The following links are useful if you want additional information:
*  Bro Intel framework - https://www.bro.org/sphinx-git/frameworks/intel.html
*  PCAP files - https://github.com/aboutsecurity/Bro-samples/
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html

Monday, 2 October 2017

Installing yara

Installation of yara
-----------------------
$ wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz
$ cd yara-3.5.0
$ ./bootstrap.sh
$ ./configure
$ make
# to spot any errors
$ make check
# make install
yara documentation is very good and you can find installation instructions on variety of
platforms. Please refer - http://yara.readthedocs.io/en/latest/gettingstarted.html#

Test yara with your own rule!
$ echo "rule dummy { condition: true }" > my_rule
$ yara -r my_rule my_rule
dummy my_rule

Yara links
----------
Yara repository - https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz
yara rules - https://github.com/Yara-Rules/rules
https://bruteforce.gr/yara-a-beginners-guide.html
https://securityintelligence.com/signature-based-detection-with-yara/
https://countuponsecurity.com/2016/02/10/unleashing-yara-part-1/

YARA signatures:
* https://github.com/Yara-Rules/rules
* http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.html
* https://malwareconfig.com/yara/

Interesting projects:
* https://github.com/Neo23x0/yarGen
* https://github.com/godaddy/procfilter