** Download a malicious pcap from internet, say, sample1.pcap
** Ensure that you have installed bro correctly and bro intelligence frameworks is present with required modules(Minimum version of bro - 2.4 or greater)
[root@ joshi]# ls -l /usr/local/bro/share/bro/policy/frameworks/intel/
do_notice.bro seen/
If you want to see if intelligence framework scripts are loaded or not at runtime, kindly look in loaded_scripts.log
** Create a intelligence feed file manually, say, intel1.dat:
(Please note that the separator is TAB and not spaces for columns in the file.)
[root@ joshi]# cat intel1.txt
#fields indicator indicator_type meta.source meta.url meta.do_notice
172.16.88.10 Intel::ADDR ciarmy http://www.ciarmy.com/list/ci-badguys.txt T
** Create a file: intel.bro in say - /home/joshi with the following contents:
# intelligence framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/home/joshi/intel1.txt"
};
Another variation:
[root@ joshi]# cat intel1.bro
# intelligence framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
# "/home/joshi/intel1.txt"
@DIR + "/intel1.txt",
};
Now, run bro to make use of "intel1.bro" for finding any malicious connections in the pcap.
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap intel1.bro
If you wish, you can also add the above lines to site policy script(local.bro) under /usr/local/bro/share/bro/site/local.bro instead of intel1.bro
By default, the logs will be created in the current directory.
To run local script based on site policy(local.bro):
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap local
[root@ joshi]# ls -l *.log
-rw-r--r-- 1 root root 60758 Oct 5 17:38 conn.log
-rw-r--r-- 1 root root 0 Oct 5 17:38 debug.log
-rw-r--r-- 1 root root 25454 Oct 5 17:38 dns.log
-rw-r--r-- 1 root root 3736 Oct 5 17:38 http.log
-rw-r--r-- 1 root root 1547 Oct 5 17:38 intel.log
-rw-r--r-- 1 root root 23896 Oct 5 17:36 loaded_scripts.log
-rw-r--r-- 1 root root 2690 Oct 5 17:38 notice.log
-rw-r--r-- 1 root root 253 Oct 5 17:38 packet_filter.log
-rw-r--r-- 1 root root 384 Oct 5 17:38 weird.log
[root@ joshi]# head intel.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path intel
#open 2017-10-05-17-38-26
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources
#types time string addr port addr port string string string string enum enum string set[string]
1394196008.595180 CQRmeTHpuDAbRlDrf 172.16.88.10 49493 172.16.88.135 80 -- - 172.16.88.135 Intel::ADDR Conn::IN_RESP bro ciarmy
1394196043.661031 Ch4sqx4DcNd8kxx5hj 172.16.88.10 49495 172.16.88.135 80 -- - 172.16.88.135 Intel::ADDR Conn::IN_RESP bro ciarmy
Local networks on command line:
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap local "Site::local_nets += {10.0.0.0/8,192.168.0.0/16}"
Note: "-C" command line flag for bro is a MUST. I have to spend few hours to understand the behaviour and finally, it was discovered in bro faq(http://www.bro.org/documentation/faq.html)
It allows bro's event engine to process the packets event if packets don't have valid checksums.
The following links are useful if you want additional information:
* Bro Intel framework - https://www.bro.org/sphinx-git/frameworks/intel.html
* PCAP files - https://github.com/aboutsecurity/Bro-samples/
* http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
** Ensure that you have installed bro correctly and bro intelligence frameworks is present with required modules(Minimum version of bro - 2.4 or greater)
[root@ joshi]# ls -l /usr/local/bro/share/bro/policy/frameworks/intel/
do_notice.bro seen/
If you want to see if intelligence framework scripts are loaded or not at runtime, kindly look in loaded_scripts.log
** Create a intelligence feed file manually, say, intel1.dat:
(Please note that the separator is TAB and not spaces for columns in the file.)
[root@ joshi]# cat intel1.txt
#fields indicator indicator_type meta.source meta.url meta.do_notice
172.16.88.10 Intel::ADDR ciarmy http://www.ciarmy.com/list/ci-badguys.txt T
** Create a file: intel.bro in say - /home/joshi with the following contents:
# intelligence framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/home/joshi/intel1.txt"
};
Another variation:
[root@ joshi]# cat intel1.bro
# intelligence framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
# "/home/joshi/intel1.txt"
@DIR + "/intel1.txt",
};
Now, run bro to make use of "intel1.bro" for finding any malicious connections in the pcap.
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap intel1.bro
If you wish, you can also add the above lines to site policy script(local.bro) under /usr/local/bro/share/bro/site/local.bro instead of intel1.bro
By default, the logs will be created in the current directory.
To run local script based on site policy(local.bro):
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap local
[root@ joshi]# ls -l *.log
-rw-r--r-- 1 root root 60758 Oct 5 17:38 conn.log
-rw-r--r-- 1 root root 0 Oct 5 17:38 debug.log
-rw-r--r-- 1 root root 25454 Oct 5 17:38 dns.log
-rw-r--r-- 1 root root 3736 Oct 5 17:38 http.log
-rw-r--r-- 1 root root 1547 Oct 5 17:38 intel.log
-rw-r--r-- 1 root root 23896 Oct 5 17:36 loaded_scripts.log
-rw-r--r-- 1 root root 2690 Oct 5 17:38 notice.log
-rw-r--r-- 1 root root 253 Oct 5 17:38 packet_filter.log
-rw-r--r-- 1 root root 384 Oct 5 17:38 weird.log
[root@ joshi]# head intel.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path intel
#open 2017-10-05-17-38-26
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources
#types time string addr port addr port string string string string enum enum string set[string]
1394196008.595180 CQRmeTHpuDAbRlDrf 172.16.88.10 49493 172.16.88.135 80 -- - 172.16.88.135 Intel::ADDR Conn::IN_RESP bro ciarmy
1394196043.661031 Ch4sqx4DcNd8kxx5hj 172.16.88.10 49495 172.16.88.135 80 -- - 172.16.88.135 Intel::ADDR Conn::IN_RESP bro ciarmy
Local networks on command line:
[root@ joshi]# bro -C -r /home/joshi/Downloads/sample1.pcap local "Site::local_nets += {10.0.0.0/8,192.168.0.0/16}"
Note: "-C" command line flag for bro is a MUST. I have to spend few hours to understand the behaviour and finally, it was discovered in bro faq(http://www.bro.org/documentation/faq.html)
It allows bro's event engine to process the packets event if packets don't have valid checksums.
The following links are useful if you want additional information:
* Bro Intel framework - https://www.bro.org/sphinx-git/frameworks/intel.html
* PCAP files - https://github.com/aboutsecurity/Bro-samples/
* http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html