Bro scripts

After updating scripts run:

• broctl check
• broctl install
• broctl restart

Custom scripts runnuing

• Darknet detection script : site/darknet.bro

  • Check all traffic going to port 22 on 195.194.187.209/28 using:  c$id$resp_p == 22/tcp 

  • Check all traffic going out from 195.194.187.209/28.
  • --
• Check IRC connection data on darknet

  •  if(c$id$resp_p == 161/udp) c$id$resp_p, c$irc$nick, c$irc$user, c$irc$command, c$irc$value

  • --
• Sinkhole IP match script : site/bro-scripts/sinkholes/main.bro

  • Match check for malware or known threat IPs using comparison:  malware_list value in c$dns$answers 

  • List of IPs with names defined in const malware_list_location = @DIR + "/malware_updated.dat"

  • --
• Example usage: detect spear phish attack:
  • SMTP with domain name URL content, then domain name being clicked on and going out. Alert on this.
  • --
• HTTP lookup comparison with intel sources (shadowserver / intel.me.com). Or insecure auth request.
  • --
• Intel HTTP::IN_USER_AGENT_HEADER output header agent for darknet HTTP matches, sinkhole matches and other URL driveby matches.

Default alarmed scripts running

Switched on in site/local.bro

• SSL::Weak_Key
• DNS::malware_ip
• Intel::Notice
• Darknets::Darknet_Traffic

Alienware OTX

From: https://bl0gg.ruberg.no/2016/03/threat-intelligence-otx-bro-silk-bind-rpz-ossec/

OTX can be used with Bro as well, and there are at least two Bro scripts for updating the feeds from the OTX API. The one that works for me is https://github.com/hosom/bro-otx. The script will make Bro register activity that matches indicators from an OTX pulse.

Sample log entries, modified for readability:

• my.ip.network 59541 some.dns.ip 53 - - - union83939k.wordpress.com
  • Intel::DOMAIN DNS::IN_REQUEST
  my.ip.network 40453 54.183.130.144 80 - - - ow.ly
  • Intel::DOMAIN HTTP::IN_HOST_HEADER
  74.82.47.54 47235 my.ip.network 80 - - - 74.82.47.54
  • Intel::ADDRConn::IN_ORIG

Back to Bro Guide