[Bro] Crowdstrike Additional Intel types

Josh Liburdi liburdi.joshua at gmail.com
Tue Jan 13 09:49:54 PST 2015

Seth nailed it-- the Intel::USER_NAME fit a specific use case for me
(FTP authentication), so that's why I added it instead of waiting for
the Authentication framework. With that said, if the merge of the SMB
analyzer beats the merge of the Authentication framework, then we can
use a similar approach to check for SMB users via the Intel framework
using the username field in smb_cmd.log.

Very excited to see the Authentication framework when it's ready, that
should make all of this (and more) easier.

On Tue, Jan 13, 2015 at 6:51 AM, Andrew Ratcliffe
<andrew.ratcliffe at nswcsystems.co.uk> wrote:
> Hi Seth,
> Thanks for the response. It sounds like there are few strands coming
> together soon that will make this, and much more, all possible; sounds good.
> BTW: Enjoyed Floss Weekly 296!
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk
> Blog.InfoSecMatters.net
> On 13 Jan 2015, at 14:10, Seth Hall <seth at icir.org> wrote:
> On Jan 13, 2015, at 3:30 AM, Andrew Ratcliffe
> <Andrew.Ratcliffe at nswcsystems.co.uk> wrote:
> But does anyone know if the Intel::USER_NAME could be extended to CIFS/SMB
> where the username is in the clear?
> Even better is that development on the Authentication framework has been
> picked up again and is making some progress.  Personally I’d like to see it
> make it’s way into 2.4 so that we’d be able to have a generic, abstract
> implementation for authentication handling.
> In the case of SMB, we’d just have a script that feeds SMB authentication
> information into the authentication framework in the cases we can grab it,
> and there will be another script that handles new authentications and feeds
> them into the intel framework.  It should simplify and unify the work that
> Josh was aiming for with his scripts.
> Unfortunately, the authentication framework is difficult enough that it’s
> taken quite a few years and input from at least 4 people to cover a good set
> of the potential use cases.
> I have seen APT activity where service accounts that have been cracked and
> then used to attempt to authenticate to devices around the network. A simple
> CIFS honeypot might be used to attract an attacker to attempt
> authentication.
> Agreed, although in this case, your whole network would be the honeypot. :)
> If it were possible to extend the scripts to examine the SMB username then
> the Intel framework would pick up on this activity just using a list of
> usernames that should not appear on the network.
> Yep, that should be pretty easy to deal with once the rewritten SMB analyzer
> makes it into Bro along with the authentication framework which should make
> authentication handling much nicer for people writing scripts.
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list