[Bro] General advice on malware hunting?

nortonperry@gmail.com norton.perry at gmail.com
Wed Sep 30 03:39:22 PDT 2015


Hi Gents,

I have had Bro installed as my gateway for a home network for about nine
months now, with a complete (mostly uninterrupted) run of logs. I've also
supplemented this with the critical stack plugin since July, with intel
feeds up - focused mostly on malware and candc domains.

The network is reasonably busy, has probably about 25 discreet hosts of
which at any given time between 3 and 10 are up. I have suspected there is
malware / a rootkit perhaps on the network for a while as arp -a shows a
lot of <undefined> hosts every now and then from the terminal of most
systems on the network. Also, Nmap scans often report IP addresses that
simply are not there.

Also, Bro reports traffic to local NAT IP addresses that don't exist. eg my
network is divided into a 192.168.2.x (Internal, all the hosts) and
192.168.1.x(airgap between Bro router and domestic DSL router). The
192.168.1.x network only really ever has two hosts - the bro router and the
dsl router, but connections show to other addresses which don't exist.

I have tried to put a methodology together for malware hunting based on
what I can find online, but nothing has really come to light. I use zcat,
bro-cut and regular expressions to query the logs.

Would anyone on this list mind assisting me in a bug hunt / provide a
methodology for tracking down suspicious traffic?

I have looked and looked but can't seem to find any workflow / tolling
which can isolate malware effectively. Any advice on this would be very
gratefully received!

regs

Perry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150930/36ba891b/attachment.html 


More information about the Bro mailing list