« Previous 1 2 3 Next »
Network analysis with the Bro Network Security Monitor
Got Your Back
Executables
With the standard install on CentOS, Bro will be installed in /opt/bro/
, which contains the following subdirectories: bin
, etc
, include
, lib
, and share
.
The bin
subdirectory contains the executables that make up the Bro distribution as follows:
adtrace
is responsible for tracking network addresses. It basically gives Bro the ability to trace source and destination Layer 2 (MAC) and Layer 3 (IP) addresses. It functions by reading the.pcap
file and outputs the source Layer 2 address, the destination Layer 2 address, the source IP, and the destination IP.bro-cut
is responsible for formatting Bro's output into columns. It functions by reading Bro's logins and printing the specified columns. This allows simple reports to be run on the basis of field names, instead of having to count columns with Awk, for example.broccoli-config
is the configuration program for Broccoli (Bro Client COmmunications LIbrary). Broccoli lets developers create client sensors for Bro.broctl
, as seen earlier in the article, is an interactive shell used to start, stop, and manage Bro's engines, as well as support a help system (Listing 1). See also the "Interactive Shell" box.
Listing 1
Bro Help System
[BroControl] > help BroControl Version 1.3 capstats [<nodes>] [<secs>] - Report interface statistics with capstats check [<nodes>] - Check configuration before installing it cleanup [--all] [<nodes>] - Delete working dirs (flush state) on nodes config - Print broctl configuration cron [--no-watch] - Perform jobs intended to run from cron cron enable|disable|? - Enable/disable "cron" jobs df [<nodes>] - Print nodes' current disk usage diag [<nodes>] - Output diagnostics for nodes exec <shell cmd> - Execute shell command on all hosts exit - Exit shell install - Update broctl installation/configuration netstats [<nodes>] - Print nodes' current packet counters nodes - Print node configuration peerstatus [<nodes>] - Print status of nodes' remote connections print <id> [<nodes>] - Print values of script variable at nodes process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace quit - Exit shell restart [--clean] [<nodes>] - Stop and then restart processing scripts [-c] [<nodes>] - List the Bro scripts the nodes will load start [<nodes>] - Start processing status [<nodes>] - Summarize node status stop [<nodes>] - Stop processing top [<nodes>] - Show Bro processes ala top update [<nodes>] - Update configuration of nodes on the fly Commands provided by plugins: ps.bro [<nodes>] - Show Bro processes on nodes' systems
Interactive Shell
Besides the install
and start
commands used earlier, the ps.bro
and restart
commands within the BroControl interactive shell are also quite useful. To see which process Bro is running, you can use ps.bro
(Listing 2). For a quick restart of Bro, restart
is the command to use. Bro doesn't require a lot of restarts for maintenance issues, but this command does restart counters, which can be handy when working on event correlations or with the netstats
command (Listing 3).
Listing 2
ps.bro
[BroControl] > ps.bro USER PID PPID %CPU %MEM VSZ RSS TT S STARTED TIME COMMAND >>> localhost (+) root 11766 11757 34.8 6.4 862984 96872 ? S Oct 19 7-00:03:58 bro (+) root 11792 11766 11.4 3.3 150888 51400 ? S Oct 19 2-07:05:05 bro
Listing 3
netstats
[BroControl] > netstats bro: 1415509669.641986 recvd=431 dropped=0 link=431 [BroControl] > restart stopping ... stopping bro ... starting ... starting bro ... [BroControl] > netstats bro: 1415509677.525993 recvd=35 dropped=0 link=35 [BroControl] >
captsats
collects statistics on the network interface and is useful for monitoring traffic loads. You can define the logging interval with the-I
parameter and the number of intervals with the-n
parameter. For example, to run a report every three seconds for five iterations on eth0, you would use the command in Listing 4.
Listing 4
capstats
/opt/bro/bin/capstats -I 3 -n 5 -i eth0 1415510235.518025 pkts=2 kpps=0.0 kbytes=0 mbps=0.0 nic_pkts=2 nic_drops=0 u=0 t=0 i=0 o=0 nonip=2 1415510238.518111 pkts=8 kpps=0.0 kbytes=1 mbps=0.0 nic_pkts=10 nic_drops=0 u=5 t=2 i=0 o=0 nonip=1 1415510241.519354 pkts=6 kpps=0.0 kbytes=0 mbps=0.0 nic_pkts=16 nic_drops=0 u=2 t=2 i=0 o=0 nonip=2 1415510244.519597 pkts=6 kpps=0.0 kbytes=0 mbps=0.0 nic_pkts=22 nic_drops=0 u=2 t=2 i=0 o=0 nonip=2 1415510247.520546 pkts=7 kpps=0.0 kbytes=1 mbps=0.0 nic_pkts=29 nic_drops=0 u=3 t=2 i=0 o=0 nonip=2
The capstats report shows (left to right) the relative time stamp, the number of packets (pkts
) seen by capstats during a particular interval, the number of packets per second (kpps
x1000), the kilobytes seen during the interval (kbytes
), megabits per second (mbps
), libpcap's reported packets (nic_pkts
), the number of packets reported by libpcap as dropped (nic_drops
), the number of packets via UDP, TCP, ICMP, and other protocols (u
, t
, i
, o
), and the number of non-IP packets (nonip
).
ftwire2bro
is a command-line utility that takes Netflow files and converts them to Bro format. Another utility in thebin
directory,nfcollector
, captures Netflow data from a socket and converts it to Bro format.rst
, short for TCP reset, is used by Bro to terminate established TCP connections. One valuable use would be for configuring Bro to deal with a zero day attack in which the traffic simply needs to be shutdown. An example application would be to halt the replication of a worm for which virus software vendors have not yet provided a signature or the means for removal.trace-summary
is another reporting tool that can be used for analysis against Bro's logs.
Configuration and Output Files
Another subdirectory worth understanding in /opt/bro/
is etc
. This directory contains four configuration files: broccoli.conf
, broctl.cfg
, networls.cfg
, and nodes.cfg
.
Unless you are developing applications that interact with Bro, the broccoli.conf
file can be ignored. The broctl.cfg
file isn't typically needed on an RPM-installed version of Bro; however, you might need it if you have to restructure disk volumes at some point in time.
The networks.cfg
file defines networks and typically contains the private address space as default. You can add additional networks for Bro to search when using descriptions of networks in reports.
The nodes.cfg
file is where you can add additional nodes or change interfaces.
Besides the /opt/bro/
directory, Bro also manages /var/opt/bro/
. This directory contains two subdirectories: logs
and spool
.
The logs
directory comprises archived logs containing historical data (all logs previous to today); however, it also contains the current log linked to the current directory. The subdirectories in logs
are in the format YYYY-MM-DD and, as mentioned, the current
directory (Listing 5).
Listing 5
var/opt/bro/logs Subdirectories
ls -l /var/opt/bro/logs/ total 244 drwxr-xr-x. 2 root root 4096 Oct 20 00:00 2014-10-19 drwxr-xr-x. 2 root root 12288 Oct 21 00:00 2014-10-20 drwxr-xr-x. 2 root root 12288 Oct 22 00:00 2014-10-21 drwxr-xr-x. 2 root root 12288 Oct 23 00:00 2014-10-22 drwxr-xr-x. 2 root root 12288 Oct 24 00:00 2014-10-23 drwxr-xr-x. 2 root root 12288 Oct 25 00:00 2014-10-24 ~~~~~ drwxr-xr-x. 2 root root 12288 Nov 5 00:00 2014-11-04 drwxr-xr-x. 2 root root 12288 Nov 6 00:00 2014-11-05 drwxr-xr-x. 2 root root 12288 Nov 7 00:00 2014-11-06 drwxr-xr-x. 2 root root 12288 Nov 8 00:00 2014-11-07 drwxr-xr-x. 2 root root 12288 Nov 8 23:07 2014-11-08 lrwxrwxrwx. 1 root root 22 Oct 19 21:22 current -> /var/opt/bro/spool/bro
The spool
subdirectory not only contains the working directory but also is used for scratch space by Bro (tmp
subdirectory), as well as the broctl database (broctl.dat
).
Now that Bro is up and running, I can take a look at one of the output types that Bro supports. Luckily, Bro uses intuitive names. For example, the log for October 19 is shown in Listing 6.
Listing 6
Bro Log for One Day
[root@centos6-5 2014-10-19]# ls -l /var/opt/bro/logs/2014-10-19/ total 268 -rw-r--r--. 1 root root 2360 Oct 19 22:00 communication.21:34:11-22:00:00.log.gz -rw-r--r--. 1 root root 4787 Oct 19 23:00 communication.22:00:00-23:00:00.log.gz -rw-r--r--. 1 root root 4787 Oct 20 00:00 communication.23:00:00-00:00:00.log.gz -rw-r--r--. 1 root root 15157 Oct 19 22:00 conn.21:34:39-22:00:00.log.gz -rw-r--r--. 1 root root 33060 Oct 19 23:00 conn.22:00:00-23:00:00.log.gz ~~~~~ -rw-r--r--. 1 root root 875 Oct 19 23:00 files.22:05:05-23:00:00.log.gz -rw-r--r--. 1 root root 626 Oct 19 23:00 http.22:05:05-23:00:00.log.gz -rw-r--r--. 1 root root 174 Oct 19 22:00 known_hosts.21:54:41-22:00:00.log.gz -rw-r--r--. 1 root root 233 Oct 19 22:00 known_services.21:54:41-22:00:00.log.gz -rw-r--r--. 1 root root 2006 Oct 19 22:00 loaded_scripts.21:34:11-22:00:00.log.gz -rw-r--r--. 1 root root 434 Oct 20 00:00 notice.23:02:17-00:00:00.log.gz -rw-r--r--. 1 root root 197 Oct 19 22:00 packet_filter.21:34:11-22:00:00.log.gz -rw-r--r--. 1 root root 393 Oct 19 22:00 reporter.21:34:21-22:00:00.log.gz -rw-r--r--. 1 root root 270 Oct 19 22:00 software.21:54:41-22:00:00.log.gz -rw-r--r--. 1 root root 336 Oct 19 22:00 ssh.21:55:11-22:00:00.log.gz -rw-r--r--. 1 root root 400 Oct 20 00:00 ssh.23:00:00-00:00:00.log.gz -rw-r--r--. 1 root root 1268 Oct 19 22:00 weird.21:34:12-22:00:00.log.gz -rw-r--r--. 1 root root 2477 Oct 19 23:00 weird.22:00:00-23:00:00.log.gz -rw-r--r--. 1 root root 2992 Oct 20 00:00 weird.23:00:00-00:00:00.log.gz
Bro has identified all the protocols it analyzed on October 19 and named them according to the protocol. For example, HTTP and SSH protocols clearly stand out. Bro also provided additional logs, such as the known_hosts , connections logs (conn ), and others.
DHCP Compromise
As an example of Bro's abilities, I'll look at a specific incident. On October 30, the DHCP service on the network at 192.168.1.1 was "knocked over" via a distributed denial of service, and a rogue service was put in place at 192.168.1.2; however, the server team was unaware of when addresses were assigned by the rogue DHCP server. Bro can show when the first assignment was made:
ls dh* dhcp.04:00:00-05:00:00.log.gz dhcp.15:00:00-16:00:00.log.gz
Two logs concerning DHCP exist: one from 4:00am and one from 3:00pm. With the bro-cut
command, I can determine that the earliest assignment by the rogue server was at 4:04am and assigned the address 192.168.1.27 (Listing 7). The field names used in this command, id_resp_h
and assigned_ip
, are found in the first few lines of all Bro logs. By using Bro's known services logs,
Listing 7
bro-cut
zcat dhcp.* | /opt/bro/bin/bro-cut -d ts id.resp_h assigned_ip lease_time 2014-10-30T04:04:04-0500 192.168.1.2 192.168.1.27 86400.000000 2014-10-30T15:54:52-0500 192.168.1.1 192.168.1.14 86400.000000
ls known_services* known_services.03:00:00-04:00:00.log.gz known_services.07:00:00-08:00:00.log.gz
I can confirm that Bro picked up on a new service in the time frame of interest, so I can check the known_services
log before the address assignment identified in the previous command (Listing 8).
Listing 8
known_services Log of Interest
zcat known_services.03\:00\:00-04\:00\:00.log.gz | /opt/bro/bin/bro-cut -d 2014-10-30T03:00:29-0500 192.168.1.2 67 udp DHCP 2014-10-30T03:12:12-0500 192.168.1.2 80 tcp HTTP 2014-10-30T03:14:29-0500 192.168.1.2 53 tcp HTTP
According to Listing 8, the DHCP was first recognized on the network at 3:00am, much earlier than existing logs could have provided. However, notice that it picked up on two additional services: two web servers – one running on the well-known port 80 and another on port 53. These steps, then, could be used to track down traffic to the server, checking and validating the HTTP logs to which Bro connects.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)