Note: The assumption for the exercise is that Bro is already installed or run in a VM. In this exercise, "<PREFIX>" represents the Bro install directory.
Advanced users who want more of a challenge may skip directly to part D and solve the second exercise marked Level advanced.
A) BroControl
BroControl is an interactive shell for easily operating/managing Bro installations on a single system or even across multiple systems in a traffic-monitoring cluster. To learn more about BroControl please refer to the documentation. The following exercise is to start and use BroControl.
Exercise
Level beginner
Start up BroControl:
broctl
The first time that you run BroControl, you must install the BroControl configuration:
[BroControl] > install
Now type:
[BroControl] > help
Use the BroControl help to achieve the following tasks:
- Start a Bro instance and check if it is running.
- Find out which nodes are running. Which interfaces are monitored?
- What is the current packet count of the first node?
- Find all Bro processes running.
- What type is your Bro instance?
- Stop Bro and check if it has stopped.
- Exit BroControl.
Solution
Start Bro via BroControl by using the command ”start”. If the config has not been changed Bro will run in standalone mode, monitoring eth0. Use the "status" command to confirm it is truly running. The other information listed in this exercise can be found using the commands "nodes", "status", and "netstats". All Bro processes running are the ones you just started, in this case one single process. To stop Bro type "stop" and use the status command again to see if the process was terminated. If an error occurs at any point type "diag" for more output. BroControl is closed with the "quit" command.
B) Run Bro directly
If you don’t want to use BroControl, then you can run Bro directly. When you run Bro directly, it creates its log files in the current working directory. Therefore, it is a good idea to create a temporary directory so that you can more easily see which files are generated by Bro. Using Bro directly is especially useful when you want to analyze packet capture (pcap) traffic files.
Exercise
Level beginner
Use the ”bro” command with "—help" to find the option that allows you to read a pcap file. Read the pcap file http.pcap and examine the log files that are created.
Solution
bro -r <filename>.pcap
The log files should be in the same directory from which you called the bro command. Type "ls" to see a list of the logs that were created. Read the logs using the "less" command.
C) Bro log files — warm up
After completing the last two exercises you should now have two different log sets. Logs created by BroControl are stored in the "<PREFIX>/logs" directory. The logs directory contains a subdirectory named with today’s date (in the form of YYYY-MM-DD). This date-named subdirectory contains various log files (all are gzipped) which are copied into this subdirectory when Bro is stopped. Running Bro directly writes the logs into your working directory, as discussed above. These files are not zipped. One more notable difference between BroControl and running Bro directly is that BroControl loads local.bro scripts, whereas running Bro directly only runs "base" scripts.
Exercise
Level beginner
This exercise gives you an overview of the default logs generated by Bro. Find all the logs created during the previous exercises. Examine both log sets, the one created by BroControl and the one created using Bro directly. What is the difference? Why are they different?
The command
gunzip -dc <PREFIX>/logs/<date>/<log> | less
allows you to look inside the zipped logs. The other not-zipped logs can be examined using "less".
Answer the following questions by scanning through the logs. You can select one of the log sets or go through both.
- Which scripts were loaded by Bro?
- How can you find out if there were any network connections?
- Identify source and destination port of a connection.
- Look in the log weird.*. Is there anything? What is it? Why does Bro consider it weird?
- If so, use the UID of the first connection to find the same connection in the connection log. What could have happened there?
Solution
- Look into ”loaded_scripts.*.log”
- Look into ”conn.*.log”
- The fields in, e.g., ”conn.*.log”, are ”id.orig_p” and ”id.resp_p”
- weird.*.log is the file Bro log everything that cannot be identified, e.g., unmatched dns messages. In this exercise it depends on what your system did what you might find in this log.
D) Bro log files — digging deeper
In the following exercise a pcap file is provided that potentially contains real malware. Do not execute files or follow links with a real system. Use the Bro training VM, Bro-Live, try.bro.org, or whatever training environment you are using for these exercises. The objective of this exercise is to learn more about what can be done with Bro logs. There are two parts: one for beginners and one for more advanced Bro users.
The pcap used in this exercise was provided by http://forensicscontest.com/ and is their property.
For this exercise we assume a certain set of skills:
- Basic Unix tools, e.g., cat, sort, etc.
- Basic awk (or Perl) to process files
- Basic networking
Exercise
Level beginner
Produce log files the same way as above, using the file infected.pcap.
- Use bro-cut with the "—help" option learn how to extract the 4-tuple of a connection, the UID of the log record, and the duration.
- Find the top five connections with the longest duration. Why could it be useful to filter out the longest connections?
- Find the connection with the largest data transfer. What was transferred? From where to where? List the URL.
- There is one connection that uses a hardcoded IP address, which means there is no DNS request. Which IP is it?
Solution
- bro-cut works similar to the UNIX tool cut. To extract the fields the field names are given to bro-cut as arguments.
cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h id.resp_p uid duration
- To find the top 5 connections in terms of duration use:
cat conn.log | bro-cut duration id.orig_h id.orig_p id.resp_h id.resp_p uid | sort -nr | head -n5
- The connection with the largest data transfer can be found with:
cat conn.log | bro-cut resp_bytes orig_bytes id.orig_h id.orig_p id.resp_h id.resp_p uid | sort -nr grep CH4rNJ31Ott2QETwSk *.log
The result is that the malicious file is a dos executable received from 59.53.91.102, port 80, transferred to 192.168.23.129, and it had the size 1066
- The missing DNS request is for IP ”65.55.195.250”. It can be found by matching all remote IPs with the IPs in the DNS-log.
Advanced Bro users continue here:
The background to this exercise can be found at http://forensicscontest.com/2010/04/01/ms-moneymanys-mysterious-malware. We present only a selection of the questions asked there. Use Bro to examine infected.pcap.
Exercise
Level advanced
The given pcap contains malware. Answer the following questions using Bro only:
- What is the name of one of the two .jar files that implemented the Java applet downloaded during the incident? Ambitious people can try to find the second .jar file name, too.
- What was the username on the infected Windows system that was used while the incident happened?
- What is the MD5 hash of the downloaded malicious executable?
- What URL did the user most likely click to start the whole incident?
Solution
- One of the files is q.jar.
Use bro in direct mode with the pcap file and a script that extracts all files. Our example is named ”extract-all.bro”.
event file_new(f: fa_file) { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); }
bro -r infected.pcap extract-all.bro
- The username can be found in the http.log and is ”ADMINISTRATOR”
- The MD5 hash is ”5942ba36cf732097479c51986eee91ed”.
- The URL is ”http://nrtjo.eu/true.jp”
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
