[Bro] Intel Framework Issues

Derek Ditch derek at criticalstack.com
Tue Nov 24 13:28:14 PST 2015

On 2015-11-23, 15:40, "Azoff, Justin S" <bro-bounces at bro.org on behalf of jazoff at illinois.edu> wrote:

>IN_ORIG / IN_RESP may help with this
>seen IN_RESP in a failed outbound connection to a known phishing site, useful to know
>seen IN_ORIG in a failed incoming port 22 connection from a known ssh scanner, probably just noise.
>seen in IN_RESP in a failed outbound port 22 connection to that same known ssh scanner, useful to know
>Which I guess would mean something like
>event connection_i_forget(c: connection) {
>    if(!Site::is_local_addr(c$id$resp_h)) {
>        Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
>    }

Something that I’d add to Justin’s approach is quasi-state for non-TCP. I’d have to think how best to write the event for a bit, but basically apply the same logic to ICMP/UDP. But also catch if seen IN_ORIG of a UDP connection and there is any response at all. Maybe extend the Crowdstrike script and apply is_local_addr filter.

Something like (could be glitches, haven’t tested this yet):

# Source: https://gist.github.com/dcode/dfe6026fd9865fb8e1ab
@load base/frameworks/intel
@load policy/frameworks/intel/seen/where-locations

event connection_state_remove(c: connection)
  if ( c$conn?$proto && ( c$conn$proto != tcp || ( c$conn?$history && c$conn$proto == tcp && "h" !in c$conn$history ) ) )
      if ( !Site::is_local_addr(c$id$resp_h) )
              Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
      else if ( Site::is_local_addr(c$id$orig_h) && c$resp_pkts > 0 )
              Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);

Of course, you could definitely parameterize this behavior like known-hosts so it’s easier to configure for incident responders.

Derek Ditch
derek at criticalstack.com
GPG: 0x2543A3B5

More information about the Bro mailing list