Difference between revisions of "Episode336"

From Security Weekly Wiki
Jump to navigationJump to search
Line 45: Line 45:
 
==Intro==
 
==Intro==
  
Seth Hall (@remor) is the engineering lead developer for Bro; an experienced incident responder he’s has previously worked at Ohio State University, GE, and other high profile locations.
+
Seth Hall ([https://twitter.com/remor @remor]) is the engineering lead developer for Bro; an experienced incident responder he’s has previously worked at Ohio State University, GE, and other high profile locations.
  
  
Liam Randall (@Hectaman) is a long time security consultant, trainer, and open source contributor. Our Brovangelist, his talks and training sessions have helped others understand the power and flexiblity of the Bro Platform. Professionally, he’s has brought the Bro Platform to dozens of vertical industry markets and is leading up the product development side for Bro.
+
Liam Randall ([https://twitter.com/hectaman @Hectaman]) is a long time security consultant, trainer, and open source contributor. Our Brovangelist, his talks and training sessions have helped others understand the power and flexiblity of the Bro Platform. Professionally, he’s has brought the Bro Platform to dozens of vertical industry markets and is leading up the product development side for Bro.
  
  
Line 73: Line 73:
 
# Our packages: [http://trac.bro-ids.org/sphinx/quickstart.html QuickStart & Installation Guides]
 
# Our packages: [http://trac.bro-ids.org/sphinx/quickstart.html QuickStart & Installation Guides]
 
# If you need a little assistance getting Bro up and running simply download the latest revision of Doug Burks amazing SecurityOnion, where Bro is included.
 
# If you need a little assistance getting Bro up and running simply download the latest revision of Doug Burks amazing SecurityOnion, where Bro is included.
# Direct [http://git.bro.org/ from our github ]
+
# Direct from our github [http://git.bro.org/ git.bro.org ]
  
 
Confirm Bro is successfully installed with:
 
Confirm Bro is successfully installed with:
  
 +
liam@osprey:~$ bro -v
 +
bro version 2.1
 +
Downloading Samples
  
liam@osprey:~$ bro -v
 
  
 
+
Clone the repository:
bro version 2.1
+
git clone https://github.com/LiamRandall/bro-training git clone
 
+
cd bro-training/malware-demo/
 
 
Downloading Samples
 
 
 
 
 
[https://github.com/LiamRandall/bro-training git clone ]
 
 
 
 
 
cd bro-training/malware-demo/
 
  
  
 
At this point you may want to enable some extra bro features like file extraction; if you are running Bro 2.1 you can use this helpful video to walk you through the process (it’s only two lines of configuration) : Bro IDS File Extraction using HTTP, FTP, SMTP & IRC
 
At this point you may want to enable some extra bro features like file extraction; if you are running Bro 2.1 you can use this helpful video to walk you through the process (it’s only two lines of configuration) : Bro IDS File Extraction using HTTP, FTP, SMTP & IRC
 
  
 
Example: [http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FYayih.A Trojan:Win32/Yayih.A]
 
Example: [http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FYayih.A Trojan:Win32/Yayih.A]
  
  
$ cd mswab_yayih/
+
$ cd mswab_yayih/
 
+
$ bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local
 
+
$ ls
$ bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local
+
capture_loss.log conn.log dns.log http.log loaded_scripts.log Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap notice.log notice_policy.log packet_filter.log reporter.log signatures.log
 
 
 
 
WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks.
 
 
 
 
 
WARNING: Template value remaining in BPFConf filename: /etc/nsm/{{hostname}}-{{interface}}/bpf-bro.conf (/opt/bro/share/bro/securityonion/./bpfconf.bro, line 99)
 
 
 
 
 
$ ls
 
 
 
 
 
capture_loss.log conn.log dns.log http.log loaded_scripts.log Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap notice.log notice_policy.log packet_filter.log reporter.log signatures.log
 
  
  
Line 125: Line 106:
  
 
Look at these logs now and you should see:
 
Look at these logs now and you should see:
 
  
 
# capture_loss.log- no dropped packets
 
# capture_loss.log- no dropped packets
 
+
#*types time interval string count count string
#types time interval string count count string
+
#*1330843811.964963 267.706293 bro 0 8 0.000%
 
+
#*close 2013-06-20-15-36-58
 
 
1330843811.964963 267.706293 bro 0 8 0.000%
 
 
 
 
 
#close 2013-06-20-15-36-58
 
 
 
  
 
# conn.log- DNS traffic on 53, http on 443
 
# conn.log- DNS traffic on 53, http on 443
 
+
#*that doesn’t look right does it? you would expect to see SSL on port 443
that doesn’t look right does it? you would expect to see SSL on port 443
 
  
  
 
# dns.log
 
# dns.log
 
+
#*Ok, 4 queries documented here
Ok, 4 queries documented here
 
  
  
 
# http.log
 
# http.log
 
+
#*hmmm... a bunch of post requests to /bbs/info.asp
hmmm... a bunch of post requests to /bbs/info.asp
+
#*important to note- this is VALID http traffic. Our analyzer was able to follow it successfully through state transitions
 
 
 
 
important to note- this is VALID http traffic. Our analyzer was able to follow it successfully through state transitions
 
 
 
  
 
# notice.log
 
# notice.log
 
+
#*There is a lot here but what should jump out is the notice type of “Signatures::Sensitive_Signature--> a cmd.exe banner detected.
There is a lot here but what should jump out is the notice type of “Signatures::Sensitive_Signature--> a cmd.exe banner detected.
 
  
  
Line 173: Line 140:
  
  
cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service
+
cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service
  
  
 
So then you can get some quick summary statistics:
 
So then you can get some quick summary statistics:
 
+
cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service | sort | uniq -c | sort -n
 
 
cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service | sort | uniq -c | sort -n
 
  
  
Line 193: Line 158:
  
  
# [http://trac.bro-ids.org/sphinx/quickstart.html QuickStar & Installation Guide]
+
# [http://trac.bro-ids.org/sphinx/quickstart.html QuickStart & Installation Guide]
# Training Material- including video walk throughs
+
# [http://www.bro.org/documentation/training/index.html Training Material]- including video walk throughs
# 2013 Bro Shmoocon Presentation-  by Liam Randall, currently the best overview of what we are doing
+
# [http://www.youtube.com/watch?v=7DCPuHdCbpw 2013 Bro Shmoocon Presentation]-  by Liam Randall, currently the best overview of what we are doing
# 2013 Bro Exchange- Our[ National Science Foundation]] supported upcoming training session at the [[National Center for Supercomputing Applications]]
+
# [http://blog.bro.org/2013/06/announcing-bro-exchange-2013-and.html 2013 Bro Exchange]- Our [http://www.nsf.gov National Science Foundation] supported upcoming training session at the [[National Center for Supercomputing Applications]]
# Details of our Current NSF Funding Award: Abstract #1032889  [[SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments]]
+
# Details of our Current NSF Funding Award: Abstract #1032889  [http://www.nsf.gov/awardsearch/showAward?AWD_ID=1032889&HistoricalAwards=false SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments]
# [[Broala]], The new Bro Consulting Company
+
# [http://www.broala.com Broala], The new Bro Core Team Consulting Company
# Liam Randall’s [[http://www.appliednsm.com/ upcoming boo: ]]
+
# Liam Randall’s upcoming book: [http://www.appliednsm.com/ Applied NSM]
  
 
== Announcement ==
 
== Announcement ==

Revision as of 19:36, 20 June 2013


Episode Media

Announcements

PaulDotCom Security Weekly - Episode 336 for Thursday June 20th, 2013

  • The Hills have IPs!! Defensive Intuition (the Consulting arm of PaulDotCom Enterprises) and Black Hills Information Security have joined forces to offer all your training, Active Defense and pen test needs! Visit www.blackhillsinfosec.com for more information.
  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!
  • BSides RI recap and wrap-up. We are already actively working on next year, we're looking for sponsors and volunteers, and we have a web site! http://bsidesri.org

Interview: Pete Lindstrom from Spire Security

Pete Lindstrom is Principal and Vice President of Research for Spire Security, an industry analyst firm providing analysis and research in the information security field. Pete operated as the deputy to the Chief Information Security Officer for Wyeth Pharmaceuticals and honed his finance and technology skills in the United States Marine Corps where he was one of two disbursing officers in theater during the First Gulf War.

  1. How did you get your start in information security?
  2. What advice do you have for others just getting their start in information security?
  3. Let's argue on side of the coin, if we are more public about our disclosure, in other words, we tell the world about the vulnerabilities we've discovered, wouldn't that help shape the industry so that vendors would fix software more quickly and/or have a better process for producing better code/product?
  4. What are some of the negative affects of disclosing too early?

 # Tell us about Google's new policy on going full disclosure about vulnerabilities and the new 7-day rule.

  1. How do we effectively manage risk in the face of uncertainties? Can we just be compliant and be good, right?
  2. People ask us all the time, so I will ask you :) what are the top 3 metrics you can present to management to get more help implementing security? 
  3. Let's talk broad topics: risk, metrics, quantitative vs. qualitative, ROI, ROSI, art vs. science, product/platform/system "x" is more secure/insecure than product/platform/system "y", unintended consequences, Google's disclosure policy; Gartner's Security Myth #3; Tripwire's art/science 'survey'

Five Questions:

  1. Three words to describe yourself
  2. If you were a serial killer, what would be our weapon of choice?
  3. In a game of ass grabby-grabby do you prefer to go first or second?
  4. If you wrote a book about yourself, what would the title be?
  5. Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?

Tech Segment: Liam and Seth on Bro IDS

Bro is a passive, open-source network traffic analyzer and was originally developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL. Liam Randall and Seth Hall are on to give us additional insight into how Bro IDS is used.

Intro

Seth Hall (@remor) is the engineering lead developer for Bro; an experienced incident responder he’s has previously worked at Ohio State University, GE, and other high profile locations.


Liam Randall (@Hectaman) is a long time security consultant, trainer, and open source contributor. Our Brovangelist, his talks and training sessions have helped others understand the power and flexiblity of the Bro Platform. Professionally, he’s has brought the Bro Platform to dozens of vertical industry markets and is leading up the product development side for Bro.


History

Bro is a bsd licensed power network analysis Platform (@Bro_IDS) currently under development at the International Computer Science Institute and NCSA. Bro passively understands information on the network in real-time, and provides analysts and operators with an unmatched stateful paradigm for comprehending and interacting with their networks. Bro processes all your network data scalably and efficiently, and supports the most common TCP/IP-based network protocols over both IPv4 and IPv6. Bro’s Turing complete programming language, along with a rich set of cluster safe frameworks, allows you to write sophisticated analysis code once and run it anywhere.


Bro IDS, our first great application written in the Bro Networking Programming Language gives you an in-depth view of your network’s activity, which over and over again has proven an invaluable resource for security monitoring, forensics, and trouble shooting. The Bro IDS security stack is built on a tremendously powerful core set of features that gives you dyanmic protocol detection,


Demonstration

Bro can either be run live on your network traffic attached to a tap or used in stand alone mode to analyze pcaps. For a quick demonstration I have selected some interesting malware sample pcaps gratefully posted by Mila from the Contagio malware dump blog.

Installation

You have three quick and easy options for getting started with Bro:


  1. Our packages: QuickStart & Installation Guides
  2. If you need a little assistance getting Bro up and running simply download the latest revision of Doug Burks amazing SecurityOnion, where Bro is included.
  3. Direct from our github git.bro.org

Confirm Bro is successfully installed with:

liam@osprey:~$ bro -v
bro version 2.1
Downloading Samples


Clone the repository:

git clone https://github.com/LiamRandall/bro-training git clone
cd bro-training/malware-demo/


At this point you may want to enable some extra bro features like file extraction; if you are running Bro 2.1 you can use this helpful video to walk you through the process (it’s only two lines of configuration) : Bro IDS File Extraction using HTTP, FTP, SMTP & IRC

Example: Trojan:Win32/Yayih.A


$ cd mswab_yayih/
$ bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local
$ ls
capture_loss.log conn.log dns.log http.log loaded_scripts.log Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap notice.log notice_policy.log packet_filter.log reporter.log signatures.log


Bro has done three things for you:


  1. Dynamically detected protocols and created detailed protocol logs for each TCP/IP layer for which it has an analyzer.
  2. Created some interesting “Alert” logs that give you metadata about the sample- the capture_loss.log to let you know if the traffic is clean, weird.log for unusual things, and “notice.log” for detected behavior.
  3. Taken action--> Bro is a programming language; so maybe it reached out to the Team-Cymru malware hash registry, or updated twitter, etc.

Look at these logs now and you should see:

  1. capture_loss.log- no dropped packets
    • types time interval string count count string
    • 1330843811.964963 267.706293 bro 0 8 0.000%
    • close 2013-06-20-15-36-58
  1. conn.log- DNS traffic on 53, http on 443
    • that doesn’t look right does it? you would expect to see SSL on port 443


  1. dns.log
    • Ok, 4 queries documented here


  1. http.log
    • hmmm... a bunch of post requests to /bbs/info.asp
    • important to note- this is VALID http traffic. Our analyzer was able to follow it successfully through state transitions
  1. notice.log
    • There is a lot here but what should jump out is the notice type of “Signatures::Sensitive_Signature--> a cmd.exe banner detected.


Bro is telling you, there is a shell being tunneled through the http traffic!


There are a lot of fun pcaps here; there are many ways to interface with your bro logs- command line, Splunk, our native Elastic Search writer, Martin Holste’s ELSA (included in securityonion), however here are some tips for working from the command line:


  1. Bro is unixy’ if you are not a sed/awk/grep expert you can use our helpful tool bro-cut to parse up the logs by just specifying the column names you would like to view
  2. Try just summarizing the who of a conversation, the ports & protocols- a lot of malware stand out like a sore thumb:

To just display the SourceIP, DestIP, DestPort & heuristically detected service (http, ssl, etc)


cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service


So then you can get some quick summary statistics:

cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service | sort | uniq -c | sort -n


Continue to experiment the other malware pcaps or samples included in securityonion; it’s neat to see Bro dissecting and analyzing the content of various protocol tunnels like teredo, GTP, 6in4, and others.

Conclusion

There is way more to bro than I could demonstrate in one simple blogpost. With the Bro Programming Language you can build a huge variety of network applications- even applications that have nothing to do with network monitoring or security. Immediatley Bro IDS is a compelling reason to get Bro into your network today and in the very short term all of the little pieces of glue to tie your network data to massive troves of intelligence, heuristics, and other integration are very exciting. Over the long term I know that we’ll see other large applications implemented in Bro- thinks like Bro-DLP, compliance scripts and so forth.


References

  1. QuickStart & Installation Guide
  2. Training Material- including video walk throughs
  3. 2013 Bro Shmoocon Presentation- by Liam Randall, currently the best overview of what we are doing
  4. 2013 Bro Exchange- Our National Science Foundation supported upcoming training session at the National Center for Supercomputing Applications
  5. Details of our Current NSF Funding Award: Abstract #1032889 SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments
  6. Broala, The new Bro Core Team Consulting Company
  7. Liam Randall’s upcoming book: Applied NSM

Announcement

Stories

Paul's Stories

  • <a href="http://www.f-secure.com/weblog/archives/00002570.html">Do you cover up your webcam?</a>
  • <a href="http://www.h-online.com/security/news/item/Security-issue-in-iOS-Personal-Hotspot-1892474.html">Security issue in iOS Personal Hotspot</a>
  • <a href="http://blog.spiderlabs.com/2013/06/sometimes-the-pentest-gods-shine-on-you.html">Sometimes, The PenTest Gods Shine On You - SpiderLabs Anterior</a>
  • <a href="http://krebsonsecurity.com/2013/06/critical-update-plugs-40-security-holes-in-java/">Critical Update Plugs 40 Security Holes in Java</a>
  • <a href="http://www.securityorb.com/2013/06/texas-state-ban-warrantless-email-snooping/">Texas becomes first US state to ban warrantless email snooping</a>
  • <a href="http://www.darkreading.com/applications/beware-of-html5-development-risks/240156891">Beware Of HTML5 Development Risks</a>
  • <a href="http://www.darkreading.com/management/security-needs-more-designers-not-archit/240156950">Security Needs More Designers, Not Architects</a>
  • Larry’s Stories

    Jack’s Stories

    Allison's Stories

    Patrick's Stories