LiamRandall

Project Title

One Paragraph of project description goes here

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Prerequisites

LiamRandall

Keybase proof

I hereby claim:

• I am liamrandall on github.
• I am liamrandall (https://keybase.io/liamrandall) on keybase.
• I have a public key ASDRfJqLoK6OqQQhHA0nvWObB5mI5W12kFvHBwv2ddkjhAo

To claim this, I am signing this object:

LiamRandall

### Keybase proof

I hereby claim:

  * I am liamrandall on github.
  * I am liamrandall (https://keybase.io/liamrandall) on keybase.
  * I have a public key ASDOOp_WKcK6A0ME0cGNmAhbJUg1f_7A9G0z5Rzne_fvcgo

To claim this, I am signing this object:

LiamRandall

wpad:tmp2 liamrandall$ bro -r /Users/liamrandall/TrafficSamples/xmas2011.pcap local "Site::local_nets += {10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}"
wpad:tmp2 liamrandall$ ls *.log
conn.log           ftp.log            known_hosts.log    loaded_scripts.log packet_filter.log  signatures.log     software.log
files.log          http.log           known_services.log notice.log         pe.log             smtp.log
wpad:tmp2 liamrandall$ bro -v
bro version 2.4-beta
wpad:tmp2 liamrandall$ less known_
known_: No such file or directory
wpad:tmp2 liamrandall$ cat known_hosts.log
#separator \x09

LiamRandall

         0.000000 bro_init
         0.000000 filter_change_tracking
1406693027.271405 ChecksumOffloading::check
1406693027.271405 filter_change_tracking
1406693027.271405 new_connection
                  [0] c: connection      = [id=[orig_h=2600:100c:b00b:608b:a54c:8e84:2fe0:b532, orig_p=65378/tcp, resp_h=2607:f8b0:4000:805::1015, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=189105], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1406693027.271405, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=C5abPgn1C03Sbffqi, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitial

LiamRandall

#!/usr/bin/env python2
##
## This script takes a line from the dpd.log generated with the
## policy/frameworks/dpd/packet-segment-logging.bro script, and
## outputs a PCAP to stdout
##
##    Vlad Grigorescu
##    [email protected]
##

LiamRandall

curl -H 'Host: www.cyberciti.biz' -H 'Host: www.google.com' 75.126.153.206:80

LiamRandall

##! DNS Detect Abnormal Number of Lookup Failures

##!                watches for hosts recieving an abnormal number of NXDOMAIN DNS Lookup Failures

##!        Improvements & derivatives

@load base/protocols/dns
@load base/frameworks/sumstats

@load base/utils/time

LiamRandall

First we are going to do an extremely simple case of loading some data and matching it. First we will create an intelligence file in Bro’s intelligence format. Create a file named “intel1.dat” with the following content. Keep in mind that all field separation is with literal tabs! Double check that you don’t have spaces as separators.

```
#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source
```

The next step will obviously be to load this data into Bro which is done as a configuration option. Put the following script into the same directory as your “intel1.dat” file and call it “intel-1.bro”.

```bro

LiamRandall

General

# Process packets despite bad checksums.
redef ignore_checksums = T;

File Analysis

This will change significantly with Bro 2.2 when we have the file analysis