[Bro] General advice on malware hunting?

Josh Liburdi liburdi.joshua at gmail.com
Wed Sep 30 06:41:01 PDT 2015 

If you're going to do any serious hunting, then you should probably
use a tool that makes viewing the data easier. Try ELK or Splunk. ELK
is good if you just want to retrieve log data, Splunk can do that and
it includes fairly robust statistical analysis (this is very useful
for hunting).

With the amount of logs you likely have, you'll exceed Splunk's trial
license limit, but if you upload all of the logs at once, they won't
suspend your account or your ability to search your data. For what you
described, I recommend getting a trial Splunk license and putting all
your data in that.

On Wed, Sep 30, 2015 at 6:39 AM, nortonperry at gmail.com
<norton.perry at gmail.com> wrote:
> Hi Gents,
>
> I have had Bro installed as my gateway for a home network for about nine
> months now, with a complete (mostly uninterrupted) run of logs. I've also
> supplemented this with the critical stack plugin since July, with intel
> feeds up - focused mostly on malware and candc domains.
>
> The network is reasonably busy, has probably about 25 discreet hosts of
> which at any given time between 3 and 10 are up. I have suspected there is
> malware / a rootkit perhaps on the network for a while as arp -a shows a lot
> of <undefined> hosts every now and then from the terminal of most systems on
> the network. Also, Nmap scans often report IP addresses that simply are not
> there.
>
> Also, Bro reports traffic to local NAT IP addresses that don't exist. eg my
> network is divided into a 192.168.2.x (Internal, all the hosts) and
> 192.168.1.x(airgap between Bro router and domestic DSL router). The
> 192.168.1.x network only really ever has two hosts - the bro router and the
> dsl router, but connections show to other addresses which don't exist.
>
> I have tried to put a methodology together for malware hunting based on what
> I can find online, but nothing has really come to light. I use zcat, bro-cut
> and regular expressions to query the logs.
>
> Would anyone on this list mind assisting me in a bug hunt / provide a
> methodology for tracking down suspicious traffic?
>
> I have looked and looked but can't seem to find any workflow / tolling which
> can isolate malware effectively. Any advice on this would be very gratefully
> received!
>
> regs
>
> Perry
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list