Bro Workshop Exercise 1

Exercise 1: Basic Bro Operation

Run Bro on a trace file: Input file: trace1.tcpdump and buffer-overlow-attack.tcpdump

First, create a file local.bro that sets local_networks for 10.20.1.0/24:

Solution:

   redef local_nets: set[subnet] = {
      10.20.1.0/24,
   };

Then run bro with the following analyzers : tcp alarm weird

Solution:

setenv BROPATH=/usr/local/bro/site:/usr/local/bro/policy:/usr/local/bro/policy/sigs
bro -r trace1.tcpdump local tcp alarm weird

look at the log files: (alarm.log, notice.log, conn.log, http.log, etc.)

Try some other analyzers, and look at log files:

    bro -r trace1.tcpdump tcp alarm weird ftp smtp
    bro -r buffer-overflow-attack.tcpdump tcp alarm weird ftp 
    bro -r trace1.tcpdump scan alarm weird

What is the capture filter for each of the above?

Solution:

 bro -r trace1.tcpdump tcp alarm weird    ftp smtp print-filter
 bro -r buffer-overflow-attack.tcpdump    tcp alarm weird ftp print-filter

Modify capture/restrict filters:

a) Add port 2222 to capture filter and tell ssh analyzer to look at port 2222,

b) restrict host 10.20.11.75

Solution:

create a file called mysite.bro, and add the following:

redef ssh_ports += { 2222/tcp };

redef restrict_filters += [ ["not-75"] = "not (host 10.20.11.75)" ];

redef capture_filters += { ["ssh-alt"] = "tcp port 2222" };

First check the packet filter looks right:

bro -r trace1.tcpdump tcp alarm weird ssh mysite print-filter

Then run Bro:

bro -r trace1.tcpdump tcp alarm weird ssh mysite

Whitelist exercise:

Tune scan.bro policy to not generate PortScan Notice for host 10.20.11.92

Solution:

Add to mysite.bro:

redef skip_scan_sources += {10.20.11.92};

Then Run Bro:

bro -r trace1.tcpdump tcp alarm weird ssh mysite

notice_policy exercise:

a) Use 'notice_action_filters' to send notices to notice file only, not alarm file, for the following notices:

WeirdActivity, BackscatterSeen, RetransmissionInconsistency

Solution:

redef notice_action_filters += {
   [[ WeirdActivity, BackscatterSeen, RetransmissionInconsistency]] = file_notice,  };

b) Dont generate alarms (only notices) for host 10.20.11.75

Solution:

const ignore_hosts = { 10.20.11.75, };

redef notice_policy += { 
  [$pred(n: notice_info) = { 
  return (n?$src && n$src in ignore_hosts) || (n?$dst && n$dst in ignore_hosts); }, 
  $result =  NOTICE_FILE, 
  $priority = 1], 
};

Other stuff to try:

redef use_tagging = T;