[Bro] Crowdstrike Additional Intel types

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Tue Jan 13 06:51:03 PST 2015

Hi Seth,
Thanks for the response. It sounds like there are few strands coming together soon that will make this, and much more, all possible; sounds good.

BTW: Enjoyed Floss Weekly 296!
Kind regards,
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>

On 13 Jan 2015, at 14:10, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

On Jan 13, 2015, at 3:30 AM, Andrew Ratcliffe <Andrew.Ratcliffe at nswcsystems.co.uk<mailto:Andrew.Ratcliffe at nswcsystems.co.uk>> wrote:

But does anyone know if the Intel::USER_NAME could be extended to CIFS/SMB where the username is in the clear?

Even better is that development on the Authentication framework has been picked up again and is making some progress.  Personally I’d like to see it make it’s way into 2.4 so that we’d be able to have a generic, abstract implementation for authentication handling.

In the case of SMB, we’d just have a script that feeds SMB authentication information into the authentication framework in the cases we can grab it, and there will be another script that handles new authentications and feeds them into the intel framework.  It should simplify and unify the work that Josh was aiming for with his scripts.

Unfortunately, the authentication framework is difficult enough that it’s taken quite a few years and input from at least 4 people to cover a good set of the potential use cases.

I have seen APT activity where service accounts that have been cracked and then used to attempt to authenticate to devices around the network. A simple CIFS honeypot might be used to attract an attacker to attempt authentication.

Agreed, although in this case, your whole network would be the honeypot. :)

If it were possible to extend the scripts to examine the SMB username then the Intel framework would pick up on this activity just using a list of usernames that should not appear on the network.

Yep, that should be pretty easy to deal with once the rewritten SMB analyzer makes it into Bro along with the authentication framework which should make authentication handling much nicer for people writing scripts.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150113/1e50a484/attachment.html 

More information about the Bro mailing list