Difference between revisions of "Episode336"

From Security Weekly Wiki
Jump to navigationJump to search
Line 177: Line 177:
# [[QuickStart]][[Installation Guide]]
# [http://trac.bro-ids.org/sphinx/quickstart.html QuickStar & Installation Guide]
# [[Training Material]]- including video walk throughs
# Training Material- including video walk throughs
# [[2013 Bro Shmoocon Presentation]]-  by Liam Randall, currently the best overview of what we are doing
# 2013 Bro Shmoocon Presentation-  by Liam Randall, currently the best overview of what we are doing
# [[2013 Bro Exchange]]- Our[[National Science Foundation]] supported upcoming training session at the [[National Center for Supercomputing Applications]]
# 2013 Bro Exchange- Our[ National Science Foundation]] supported upcoming training session at the [[National Center for Supercomputing Applications]]
# Details of our Current NSF Funding Award: Abstract #1032889  [[SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments]]
# Details of our Current NSF Funding Award: Abstract #1032889  [[SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments]]
# [[Broala]], The new Bro Consulting Company
# [[Broala]], The new Bro Consulting Company

Revision as of 18:46, 20 June 2013

Episode Media


PaulDotCom Security Weekly - Episode 336 for Thursday June 20th, 2013

  • The Hills have IPs!! Defensive Intuition (the Consulting arm of PaulDotCom Enterprises) and Black Hills Information Security have joined forces to offer all your training, Active Defense and pen test needs! Visit www.blackhillsinfosec.com for more information.
  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!
  • BSides RI recap and wrap-up. We are already actively working on next year, we're looking for sponsors and volunteers, and we have a web site! http://bsidesri.org

Interview: Pete Lindstrom from Spire Security

Pete Lindstrom is Principal and Vice President of Research for Spire Security, an industry analyst firm providing analysis and research in the information security field. Pete operated as the deputy to the Chief Information Security Officer for Wyeth Pharmaceuticals and honed his finance and technology skills in the United States Marine Corps where he was one of two disbursing officers in theater during the First Gulf War.

Tech Segment: Liam and Seth on Bro IDS

Bro is a passive, open-source network traffic analyzer and was originally developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL. Liam Randall and Seth Hall are on to give us additional insight into how Bro IDS is used.


Seth Hall (@remor) is the engineering lead developer for Bro; an experienced incident responder he’s has previously worked at Ohio State University, GE, and other high profile locations.

Liam Randall (@Hectaman) is a long time security consultant, trainer, and open source contributor. Our Brovangelist, his talks and training sessions have helped others understand the power and flexiblity of the Bro Platform. Professionally, he’s has brought the Bro Platform to dozens of vertical industry markets and is leading up the product development side for Bro.


Bro is a bsd licensed power network analysis Platform (@Bro_IDS) currently under development at the International Computer Science Institute and NCSA. Bro passively understands information on the network in real-time, and provides analysts and operators with an unmatched stateful paradigm for comprehending and interacting with their networks. Bro processes all your network data scalably and efficiently, and supports the most common TCP/IP-based network protocols over both IPv4 and IPv6. Bro’s Turing complete programming language, along with a rich set of cluster safe frameworks, allows you to write sophisticated analysis code once and run it anywhere.

Bro IDS, our first great application written in the Bro Networking Programming Language gives you an in-depth view of your network’s activity, which over and over again has proven an invaluable resource for security monitoring, forensics, and trouble shooting. The Bro IDS security stack is built on a tremendously powerful core set of features that gives you dyanmic protocol detection,


Bro can either be run live on your network traffic attached to a tap or used in stand alone mode to analyze pcaps. For a quick demonstration I have selected some interesting malware sample pcaps gratefully posted by Mila from the Contagio malware dump blog.


You have three quick and easy options for getting started with Bro:

  1. Our packages: QuickStart & Installation Guides
  2. If you need a little assistance getting Bro up and running simply download the latest revision of Doug Burks amazing SecurityOnion, where Bro is included.
  3. Direct from our github

Confirm Bro is successfully installed with:

liam@osprey:~$ bro -v

bro version 2.1

Downloading Samples

git clone

cd bro-training/malware-demo/

At this point you may want to enable some extra bro features like file extraction; if you are running Bro 2.1 you can use this helpful video to walk you through the process (it’s only two lines of configuration) : Bro IDS File Extraction using HTTP, FTP, SMTP & IRC

Example: Trojan:Win32/Yayih.A

$ cd mswab_yayih/

$ bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local

WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks.

WARNING: Template value remaining in BPFConf filename: /etc/nsm/Template:Hostname-Template:Interface/bpf-bro.conf (/opt/bro/share/bro/securityonion/./bpfconf.bro, line 99)

$ ls

capture_loss.log conn.log dns.log http.log loaded_scripts.log Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap notice.log notice_policy.log packet_filter.log reporter.log signatures.log

Bro has done three things for you:

  1. Dynamically detected protocols and created detailed protocol logs for each TCP/IP layer for which it has an analyzer.
  2. Created some interesting “Alert” logs that give you metadata about the sample- the capture_loss.log to let you know if the traffic is clean, weird.log for unusual things, and “notice.log” for detected behavior.
  3. Taken action--> Bro is a programming language; so maybe it reached out to the Team-Cymru malware hash registry, or updated twitter, etc.

Look at these logs now and you should see:

  1. capture_loss.log- no dropped packets
  1. types time interval string count count string

1330843811.964963 267.706293 bro 0 8 0.000%

  1. close 2013-06-20-15-36-58

  1. conn.log- DNS traffic on 53, http on 443

that doesn’t look right does it? you would expect to see SSL on port 443

  1. dns.log

Ok, 4 queries documented here

  1. http.log

hmmm... a bunch of post requests to /bbs/info.asp

important to note- this is VALID http traffic. Our analyzer was able to follow it successfully through state transitions

  1. notice.log

There is a lot here but what should jump out is the notice type of “Signatures::Sensitive_Signature--> a cmd.exe banner detected.

Bro is telling you, there is a shell being tunneled through the http traffic!

There are a lot of fun pcaps here; there are many ways to interface with your bro logs- command line, Splunk, our native Elastic Search writer, Martin Holste’s ELSA (included in securityonion), however here are some tips for working from the command line:

  1. Bro is unixy’ if you are not a sed/awk/grep expert you can use our helpful tool bro-cut to parse up the logs by just specifying the column names you would like to view
  2. Try just summarizing the who of a conversation, the ports & protocols- a lot of malware stand out like a sore thumb:

To just display the SourceIP, DestIP, DestPort & heuristically detected service (http, ssl, etc)

cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service

So then you can get some quick summary statistics:

cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service | sort | uniq -c | sort -n

Continue to experiment the other malware pcaps or samples included in securityonion; it’s neat to see Bro dissecting and analyzing the content of various protocol tunnels like teredo, GTP, 6in4, and others.


There is way more to bro than I could demonstrate in one simple blogpost. With the Bro Programming Language you can build a huge variety of network applications- even applications that have nothing to do with network monitoring or security. Immediatley Bro IDS is a compelling reason to get Bro into your network today and in the very short term all of the little pieces of glue to tie your network data to massive troves of intelligence, heuristics, and other integration are very exciting. Over the long term I know that we’ll see other large applications implemented in Bro- thinks like Bro-DLP, compliance scripts and so forth.


  1. QuickStar & Installation Guide
  2. Training Material- including video walk throughs
  3. 2013 Bro Shmoocon Presentation- by Liam Randall, currently the best overview of what we are doing
  4. 2013 Bro Exchange- Our[ National Science Foundation]] supported upcoming training session at the National Center for Supercomputing Applications
  5. Details of our Current NSF Funding Award: Abstract #1032889 SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments
  6. Broala, The new Bro Consulting Company
  7. Liam Randall’s [upcoming boo: ]



Paul's Stories

  • <a href="http://www.f-secure.com/weblog/archives/00002570.html">Do you cover up your webcam?</a>
  • <a href="http://www.h-online.com/security/news/item/Security-issue-in-iOS-Personal-Hotspot-1892474.html">Security issue in iOS Personal Hotspot</a>
  • <a href="http://blog.spiderlabs.com/2013/06/sometimes-the-pentest-gods-shine-on-you.html">Sometimes, The PenTest Gods Shine On You - SpiderLabs Anterior</a>
  • <a href="http://krebsonsecurity.com/2013/06/critical-update-plugs-40-security-holes-in-java/">Critical Update Plugs 40 Security Holes in Java</a>
  • <a href="http://www.securityorb.com/2013/06/texas-state-ban-warrantless-email-snooping/">Texas becomes first US state to ban warrantless email snooping</a>
  • <a href="http://www.darkreading.com/applications/beware-of-html5-development-risks/240156891">Beware Of HTML5 Development Risks</a>
  • <a href="http://www.darkreading.com/management/security-needs-more-designers-not-archit/240156950">Security Needs More Designers, Not Architects</a>
  • Larry’s Stories

    Jack’s Stories

    Allison's Stories

    Patrick's Stories