So now that you’ve got a general sense of what logs look like and how Bro produces them, the typical inclination is for a person to want to find something interesting to look at in them. The good thing is that Bro, by default, does some analysis on traffic and can suggest potentially interesting network activity for you to investigate. These suggestions are what are known as "notices".
Part 1: The Notice Log
Here, let’s just run Bro on a network trace and see if it suggests anything interesting to look at. You’ll need ssh.pcap for all the rest of the exercises.
Exercise
Run the command:
bro -r ssh.pcap local
to run Bro with a predefined set of policy/ scripts loaded that makes for a similar configuration as running BroControl out-of-the-box. What high-level activity is suggested as interesting in the notice.log?
Solution
The command:
bro-cut note < notice.log
shows output:
SSH::Login SSH::Login SSH::Password_Guessing SSH::Login
There were 3 successful SSH logins (heuristically determined) and someone trying to brute-force their way into an SSH server.
Part 2: Basic Filtering of the Notice Log
Now, let’s start making some policy decisions regarding the notices Bro conveniently supplied.
Exercise
Take the my_basic_policy.bro code, and run:
bro -r ssh.pcap local my_basic_policy.bro
Look at the code you just supplied to Bro and then look for an additional log that Bro has generated, what’s in it and how does it relate to the code?
Solution
Bro created a notice_alarm.log that now contains the SSH::Password_Guessing notice because my_basic_policy.bro made the decision that that type of notice was alarm-worthy.
Note
We’re currently defining notice policy in an extra Bro script so as to avoid accidentally corrupting results of future exercises, but normally it’s typical to take what’s in these scripts and put them directly in your local.bro or other scripts inside your $PREFIX/share/bro/site/ installation directory.
Exercise
Now alter my_basic_policy.bro by making SSH::Login notices ignored (not written to the notice.log), and check your results by re-running:
bro -r ssh.pcap local my_basic_policy.bro
Solution
You should now see that notice.log does not contain any SSH::Login notices.
Of course, there are also other convenience actions that can be taken with notices, such as sending an email, but those are not demonstrable in such contrived exercises, however we’re about to witness the full power allowed by the notice framework.
Part 3: More Advanced Notice Policy
What if grouping all types of a given notice is too rigid for you? The answer is to define the notice policy more flexibly around what you exactly need.
Exercise
Take the my_advanced_policy.bro code, and run:
bro -r ssh.pcap local my_advanced_policy.bro
Find out the purpose of the code by inspecting it and the notice_alarm.log.
Solution
The purpose of this bit of advanced policy is to only trigger an alarm action when a particular SSH::Login notice belongs to a particular group of servers (as seen in the watched_servers variable).
Exercise
Modify my_advanced_policy.bro to now alarm on the last remaining SSH server which Bro recognized as having been logged into.
Solution
The last remaining SSH service is 172.16.238.129 and can be appended to the ongoing list in watched_servers in my_advanced_policy.bro.
Part 4: Extra Credit
So we’ve seen that the actions associated with any given Bro notice are fully customizable since you can define arbitrary functions in your notice policy. And knowing that, you can do all sorts of neat things.
Exercise
The my_extracredit_policy.bro contains some notice policy code. Determine what it does by looking at its code, running it through bro on the ssh.pcap trace and looking at the resulting logs.
Solution
The extra credit notice policy code accumulates IP addresses that have been attempting SSH brute-forcing over a 24 hour window and promotes an SSH::Login notice to an alarm if any such brute- forcer successfully logs in to a server.
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
