[Bro] Intel Framework Issues
Derek Ditch
derek at criticalstack.com
Tue Nov 24 13:28:14 PST 2015
On 2015-11-23, 15:40, "Azoff, Justin S" <bro-bounces at bro.org on behalf of jazoff at illinois.edu> wrote:
>IN_ORIG / IN_RESP may help with this
>
>seen IN_RESP in a failed outbound connection to a known phishing site, useful to know
>
>seen IN_ORIG in a failed incoming port 22 connection from a known ssh scanner, probably just noise.
>seen in IN_RESP in a failed outbound port 22 connection to that same known ssh scanner, useful to know
>
>Which I guess would mean something like
>
>event connection_i_forget(c: connection) {
> if(!Site::is_local_addr(c$id$resp_h)) {
> Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
> }
>}
Something that I’d add to Justin’s approach is quasi-state for non-TCP. I’d have to think how best to write the event for a bit, but basically apply the same logic to ICMP/UDP. But also catch if seen IN_ORIG of a UDP connection and there is any response at all. Maybe extend the Crowdstrike script and apply is_local_addr filter.
Something like (could be glitches, haven’t tested this yet):
# Source: https://gist.github.com/dcode/dfe6026fd9865fb8e1ab
@load base/frameworks/intel
@load policy/frameworks/intel/seen/where-locations
event connection_state_remove(c: connection)
{
if ( c$conn?$proto && ( c$conn$proto != tcp || ( c$conn?$history && c$conn$proto == tcp && "h" !in c$conn$history ) ) )
{
if ( !Site::is_local_addr(c$id$resp_h) )
{
Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
}
else if ( Site::is_local_addr(c$id$orig_h) && c$resp_pkts > 0 )
{
Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
}
}
}
Of course, you could definitely parameterize this behavior like known-hosts so it’s easier to configure for incident responders.
—
Derek Ditch
derek at criticalstack.com
GPG: 0x2543A3B5
More information about the Bro
mailing list