Saturday, December 7, 2013

Network Forensics with Bro(s)

I recently had the opportunity to give a short presentation at the BayThreat security conference. I talked about using Bro (because that's all I talk about). The BayThreat CFP requested actionable talks and I thought it was a perfect opportunity to demonstrate Bro.
The presentation, similar to this blog, was geared towards Bro newbies. I presented a general high level methodology for analyzing network trace files and showed how Bro can be used to make steps of the methodology much faster and thorough. The presentation looked at a pcap from a live honeypot system which was part of an online challenge designed to force participants to analyze trace files containing common attacks.

The slides from my presentation can be found here.

First, I introduced Bro and described how it worked. I explained how Bro's core works together with its custom scripting language to handle events that occur on the network.

Next, a basic methodology for analyzing pcap files was presented. It included the following steps:

0. determine context
1. orient and inventory
2. investigate a single artifact from the inventory
3. categorize that single artifact
4. filter the categorized artifact from the inventory
5. repeat until every artifact in the inventory is categorized

Once Bro was explained and the analysis methodology was laid out, I walked through each of the steps in the methodology, applying Bro where possible.

Step 1.
Feeding the pcap to Bro, along with a custom policy script (a tweaked version of the local.bro), produced log files and a directory of files transferred within the pcap. These outputs were used as an inventory.

Step 2.
Searching through the log files was easily accomplished using bro-cut, grep, and other common CLI tools.

Step 3.
SSH bruteforcing, FTP bruteforcing, HTTP crawlers (looking for administrative pages e.g. for phpMyAdmin) were identified and categorized as suspect. Legitimate artifacts were also discovered such as a package update occurring on the honeypot system, an SSH session and anonymous FTP logins.

Step 4.
A Bro script (pseudo code) was presented to reduce the logs Bro creates when reading in a pcap file. By adjusting log output, an analyst would be able to filter the inventory generated in step 1.

Step 5.
Due to time constraints, the remainder of the pcap's inventory was left as an exercise for the audience.


Hopefully everyone who attended the presentation was able to learn and take something away from the material. I encourage you, as readers of this post, to attempt to use Bro to walk through the pcap.