Saturday, December 16, 2006

Bro Offline Packet Analysis(DPD Enabled)

Bro-ids is a beast, you will have to spend some times to actually understand how it works, or maybe just understand it partially. There's no good guide that you can find regarding Bro-ids, the only thing you can do is either subscribing to the mailing list, or either reading Bro-ids Wiki or maybe reading its codes(Ouch). The documentation that comes with Bro-ids is rather old. I think most of people out there are using Snort, it is lightweight, snort related documentation and books are everywhere too. I will have to admit that Bro-ids is not very easy to use but you can find it very powerful from time to time. Anyway you can download it at here, to install it -

shell>tar xvzf bro-1.2-devel.tar.gz

shell>cd bro-1.2-devel

shell>./configure --prefix=/usr/local/stow/bro-1.2-devel

shell>make && make install

You will have to run make install-brolite so that configuration can be done easily. Once you have finished the configuration, now let's navigate the installed bro. The reason why I choose to install bro in non-standard directory because it will be more easy for us when we need to either remove or upgrade it next time.

shell>ls -la /usr/local/stow/bro-1.2-devel/
total 38
drwxr-xr-x 16 bro wheel 512 Dec 15 19:33 .
drwxr-xr-x 16 root wheel 512 Dec 12 14:35 ..
drwxr-xr-x 2 bro wheel 512 Dec 6 09:17 archive
drwxr-xr-x 2 bro wheel 512 Dec 6 10:00 bin
drwxr-xr-x 5 bro wheel 512 Dec 6 10:00 doc
drwxr-xr-x 2 bro wheel 512 Dec 6 12:23 etc
drwxr-xr-x 2 bro wheel 512 Dec 6 09:57 include
drwxr-xr-x 2 bro wheel 512 Dec 6 09:57 lib
drwxr-xr-x 4 bro wheel 5632 Dec 15 16:04 logs
drwxr-xr-x 3 bro wheel 512 Dec 6 10:08 perl
drwxr-xr-x 4 bro wheel 4096 Dec 15 19:34 policy
drwxr-xr-x 2 bro wheel 512 Dec 6 09:17 reports
drwxr-xr-x 2 bro wheel 512 Dec 6 10:08 scripts
drwxr-xr-x 4 bro wheel 512 Dec 6 09:14 share
drwxr-xr-x 2 bro wheel 512 Dec 6 12:42 site
drwxr-xr-x 2 bro wheel 512 Dec 15 16:04 var

I won't be going through every directory and explaining them one by one, however you should look at site which is used to store your site configuration, you should check and tune the configuration of the files in site directory especially the one with your hostname as prefix. By default brolite is enabled to load all the default policies.

@load brolite

One of the thing you can do is enable the Snort signatures matching by uncomment the following line -

# To run signatures, uncomment the following line.
@load brolite-sigs

The next directory that are important is etc(configuration directory), you may find most of bro path variables are stored in bro.cfg in etc directory. Then comes to policy script, this directory needs a lot of tuning depends on your network environment. You can actually checkout brolite.bro script inside policy directory to see what is loaded by default. Other directories that are shown pretty self descriptive so I won't touch on that.

Since this post is about Bro-IDS Offline Packet Analysis, I will just talk about it. To actually do it, I will have to add or append the following part to .bash_profile since my environment variables are stored there(I'm using bash), you should change it if you use different shell.



Since I don't have clue for the first time how I can use bro with DPD(dynamic protocol detection), I refer to the brolite.bro to get to know which analyzers are needed if I want dynamic protocol detection. Here's the entry of brolite.bro

## Dynamic Protocol Detection configuration
# This is off by default, as it requires a more powerful Bro host.
# Uncomment next line to activate.
const use_dpd = T;

@ifdef ( use_dpd )
@load dpd
@load irc-bot
@load dyn-disable
@load detect-protocols
@load detect-protocols-http
@load proxy

# By default, DPD looks at all traffic except port 80.
# For lightly loaded networks, comment out the restrict_filters line.
# For heavily loaded networks, try adding addition ports (e.g., 25) to
# the restrict filters.
redef capture_filters += [ ["tcp"] = "tcp" ];
# redef restrict_filters += [ ["not-http"] = "not (port 80)" ];

The default offline packet analysis can be done by using mt.bro which is located at policy directory. Here's the content of my mt.bro -

# $Id: mt.bro 340 2004-09-09 06:38:27Z vern $

@load alarm
@load dns-lookup
@load hot
@load frag
@load tcp
@load scan
@load weird
@load finger
@load ident
@load ftp
@load login
@load portmapper
@load ntp
@load tftp
@load profiling
# Loading DPD
@load dpd
@load irc-bot
@load dyn-disable
@load detect-protocols
@load detect-protocols-http
@load proxy

You should see I have added the dynamic protocol detection(DPD) to mt.bro so that I can use the latest DPD when doing offline traffic analysis.

Running bro offline packet analysis
shell>bro -f tcp -r 060915-Event.pcap mt

After bro is successfully executed, you may find all the logs in current directory.

shell>ls -la *.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 alarm.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 conn.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 ftp.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 irc-bots.log
-rw-r--r-- 1 root wheel 104 Dec 11 14:01 irc-bots.summary.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 irc.detailed.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 irc.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 notice.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 prof.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 signatures.log
-rw-r--r-- 1 root wheel 0 Dec 11 14:27 weird.log

Dynamic Protocol Detection is still new or considered in early developemet, we will see more and more protocols will be supported in future. Interestingly, you can print all the bpf filter expressions of mt.bro

shell>bro -f tcp mt print-filter
(((((((((((ip[6:2] & 0x3fff != 0) and tcp) or (port 111)) or (tcp[13] & 7 != 0)) or (port 6667)) or (port finger)) or (port telnet or tcp port 513)) or (udp port 123)) or (port ftp)) or (tcp port 113)) or (udp port 69)) or (port 6666)

By the way I'm using the wrong term - Offline Packet Analysis, Bro doesn't work that way, it is more of Offline Traffic Analysis instead as it analyses the full network stream instead of packet wise.

Enjoy (;])

1 comment:

Anonymous said...

Snort lightweight? Perhaps at one time, but not anymore.