[Bro] Intel Framework Issues
Josh Liburdi
liburdi.joshua at gmail.com
Tue Nov 24 15:49:27 PST 2015
Generally speaking, I favor grabbing more data over grabbing a portion of the data, so I prefer to see all of the IP indicators in every connection, then process the output outside of Bro. That said, the suggestions of checking for non-TCP / unestablished TCP IN_RESP connections makes sense if a sensor is resource constrained.
I also like the idea of getting more granular with indicator-related activity (I do a bit of this, just not shared publicly), but I wonder if those specific use cases should be their own policy scripts instead of default behavior. More indicator-related policy scripts could give users better options.
Josh
> On Nov 24, 2015, at 4:28 PM, Derek Ditch <derek at criticalstack.com> wrote:
>
> On 2015-11-23, 15:40, "Azoff, Justin S" <bro-bounces at bro.org on behalf of jazoff at illinois.edu> wrote:
>
>
>> IN_ORIG / IN_RESP may help with this
>>
>> seen IN_RESP in a failed outbound connection to a known phishing site, useful to know
>>
>> seen IN_ORIG in a failed incoming port 22 connection from a known ssh scanner, probably just noise.
>> seen in IN_RESP in a failed outbound port 22 connection to that same known ssh scanner, useful to know
>>
>> Which I guess would mean something like
>>
>> event connection_i_forget(c: connection) {
>> if(!Site::is_local_addr(c$id$resp_h)) {
>> Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
>> }
>> }
>
> Something that I’d add to Justin’s approach is quasi-state for non-TCP. I’d have to think how best to write the event for a bit, but basically apply the same logic to ICMP/UDP. But also catch if seen IN_ORIG of a UDP connection and there is any response at all. Maybe extend the Crowdstrike script and apply is_local_addr filter.
>
> Something like (could be glitches, haven’t tested this yet):
>
> # Source: https://gist.github.com/dcode/dfe6026fd9865fb8e1ab
> @load base/frameworks/intel
> @load policy/frameworks/intel/seen/where-locations
>
> event connection_state_remove(c: connection)
> {
> if ( c$conn?$proto && ( c$conn$proto != tcp || ( c$conn?$history && c$conn$proto == tcp && "h" !in c$conn$history ) ) )
> {
> if ( !Site::is_local_addr(c$id$resp_h) )
> {
> Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
> }
> else if ( Site::is_local_addr(c$id$orig_h) && c$resp_pkts > 0 )
> {
> Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
> }
> }
> }
>
>
> Of course, you could definitely parameterize this behavior like known-hosts so it’s easier to configure for incident responders.
>
> —
> Derek Ditch
> derek at criticalstack.com
> GPG: 0x2543A3B5
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list