Bro is running on Colossus which is a VM on Eclipse. It now sends logs to Elasticsearch. The Bro Network Security Monitor runs on colossus. It is installed in directory:
/usr/local/bro
To start the program using root :
broctl start
which invokes wrapper script:
../scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/auto
Logs for monitored traffic are held in ~/bro/logs/ and a current/ directory exists for ongoing logs. Traffic types are seperated into labelled logs i.e. smtp.log, dns.log, ssl.log etc.
A cronjob is run every hour on Colossus for Bro:
0-59/5 * * * * broctl cron
the ~/bro/etc/broctl.cfg file contains parameters for the program environment. For example it currently contains the rotation interval for logs and email addresses for alerts and summaries.
The scripts for this Bro server are located in ~/bro/share/bro/site. This is the directory that would be used for custom .bro scripts. The file local.bro in this directory is the only setup file needed as this is a standalone bro machine. It states which scripts (including protocol scripts) are being run, and this is where you expand the detection capabilities of Bro (See also configuration section). i.e.
# This script enables SSL/TLS certificate validation. @load protocols/ssl/validate-certs # Detect traceroute being run on the network. @load misc/detect-traceroute
Standard Bro scripts are contained in the ~/bro/share/bro/policy/ directory and must be placed here. They are named with the .bro extension. They generate a Notice when performing validation on the network traffic. The colossus server is authorised by Varda within the me.com domain to run postfix relayhost relay.me.com to amras.me.com.
Emails for stats are sent to:
Emails for alerts are sent to:
bro-stats@me.com
bro-alerts@me.com
Use the Bro command:
Broctl
To launch BroControl to run application commands on the live system.
To list the current Bro config setup, run
[BroControl] > config
After updating a Bro script update and restart using
[BroControl] > deploy
For a current check on throughput run
[BroControl] > capstats bro 10
To check the value of a script ID (which is very useful for debugging) use the print command
[BroControl] > print Notice::alarmed_types
To change the config of Bro, edit the ~/bro/etc/broctl.cfg file. If the config option is not visible, its likely set as default, so add the relevant config option with value i.e. = 86400 in seconds and Logrotationinterval = 14400
Edit local.bro to add the IPs not to be used in capture redef cmd_line_bpf_filter = "((not host 195.194.187.210) and (not host 172.16.66.25))";
Use the local.bro in ~bro/share/bro/site to include which protocol analysis scripts are run, to detect different threat types:
#Generate notice on SSL deemed weak @load protocols/ssl/weak-keys
Bro uses the notice_alarm.log to send regular identified suspect traffic notices. This can be accomplished with the below script adjustment in ~/bro/share/bro/site/local.bro. In this example for weak SSL keys (module SSL Notice Type Weak_Key):
redef Notice::alarmed_types += {SSL::Weak_Key};
The type setup above within the curly braces is taken directly from the protocol scripts module and Notice Type which references ../share/bro/policy/protocols/ssl/weak-keys.bro module SSL;
redef enum Notice::Type += { ## Indicates that a server is using a potentially unsafe key. Weak_Key, Weak_Cipher }
It prints the entire connection string for that instance to the alarm email. Alarm definitions must go at the end of the config script (it needs to load the policy scripts first)!
There are further definitions within some of the policy scripts that can be made. Such as:
SMTP::suspicious_origination_countries = { "LV", "RU", BW" };
which also belongs in the local.bro site definition script, but is declared as a list the smtp/detect-suspicios-orig.bro script.
Within the SSL Weak_Key Bro script there was further suppression under the NOTICE() function: The fourth argument being $suppress_for=1day which was commented out to use global alarm email setting, The fifth argument $identifier=cat(c$id$resp_h, c$id$resp_p) causes suppression to occur if both the $identifier and $note field are the same for two notices. If the $identifier is left out of a notice, no notice suppression takes place due to the framework’s inability to identify duplicates.
After deploy is run the logs are refreshed. After the hour mark has passed both summary and alarm mails are send and logs rotated. The Alarms are held in the notice_alarm.log within ../bro/logs/current The alarm scripts are within:
/usr/local/bro/share/bro/base/frameworks/notice
Here the pp_alarms_name sets the text file for alarms as “alarm-mail.txt”.
Alternatively, you can escalate even further, and turn these into immediate email alerts, like this:
redef Notice::emailed_types + = { HTTP::SQL_Injection_Attacker };
For repeated patterns of notifices about an event, Bro intelligently suppresses notices for a default period. This can be adjusted as follows, to decrease it from default 1 hour: redef Notice::default_suppression_interval = 30min;
While Bro comes with standard protocol scripts for certain events, the power of Bro comes with writing custom scripts with which to activate alarms. Writing a script requires some understanding of the functions or variables such as an entire TCP connection. In the below example a TCP connection is referenced and elements seperated. This test was run on colossus alongside the main running instance, simply outputting connections (after it was run with #bro -i eth1 test.bro):
event connection_established(c:connection) { print fmt("Hello Bro"); print c; print fmt ("---------------------------"); print fmt ("Bro Layer 3 connection info:"); print fmt ("uid: %s", c$uid); print fmt ("c$id$orig_h: %s", c$id$orig_h); print fmt ("c$id$orig_p: %s", c$id$orig_p); print fmt ("c$id$resp: %s", c$id$resp_h); print fmt ("c$id$resp_p: %s", c$id$resp_p); }
So from here you can understand the beginning of script development for pattern matching on IPs, URLS or TCP connection component events. For detail on the IP matching script visit: Bro IP matching
For reference see: broversity-lesson-2
Bro separates the layers of any traffic (i.e. 802.1q, Ipv6 terredo tunnel, Ipv4) and uses Dynamic Protocol Detection to parse protocols then log and alarm on the DNS, HTTP events etc.
The default logs in ~/bro/logs can hold useful information, such as the DNS lookups on the local network: zless dns.10:00:00-11:00:00.log.gz
We can use the bro-cut command to separate the log data into column data
The setup of elastic search stack SIEM and filebeats
Intel framework and alerting on intelligence feeds.
To enable the Bro Intel Framework and allow the integration of CIF feeds, add these three lines to your local.bro file:
@load frameworks/intel/seen @load frameworks/intel/do_notice @load policy/integration/collective-intel
In order to import the new data feed we just generated we need to configure Bro’s Input Framework. To do so, add the following lines to your local.bro file:
redef Intel::read_files += { "/opt/critical-stack/frameworks/intel/master-public.bro.dat", };
Bro scripts