Sample Bro Policy

From BroWiki

Do you have some Bro policy code that others might find useful? Request a wiki account and post it here!

• Policy for handling Broccoli events parsed from sshd logs:
  • syslog.bro and user-check.bro (questions)

• Policy for generating / watching for heartbeat events from between 2 instances of Bro:
  • server-heartbeat.bro and client-heartbeat.bro (questions)

• Policy for catching hosts sending spam by watching percentage of rejected SMTP sessions. New version using the "when" statement soon.
  • smtp-rejects.bro (questions)

• Policy for watching DNS traffic for two interestign events:
  

    (1) domain names that look like host.local.com.evil.com 

    (2) lookups that return 127.0.0.0/8, 10.0.0.0/8 or 192.168.0.0/16 addresses.  Further lookups providing new address information are logged as well.  These transitions have been used for bot C&C before.

• dns.bot.bro (questions)

• Policy for identifying a class of PHP related attacks similar to:
  

     /modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=hxxp://usuarios.arnet.com.ar/larry123/safe.txt?

    the download address is parsed put of the URI and possibly resolved. Another 'when' example!

Connections to these addresses are flagged as hot and alarmed.

• php_path_attack.bro (questions)

Policy for identifying ICMP tunnels based on the ptunnel tool. A nice writeup of ptool can be found at http://www.cs.uit.no/~daniels/PingTunnel . This required the addition of a bif. Source as follows:

    function to_xint%(str: string%): int
       %{
       const char* s = str->CheckString();
       char* end_s;
    
       long l = strtol(s, &end_s, 16);
       int i = int(l);
    
    #if 0
       // Not clear we should complain.  For example, is " 205 "
       // a legal conversion?
       if ( s[0] == '\0' || end_s[0] != '\0' )
               builtin_run_time("bad conversion to integer", @ARG@[0]);
    #endif
    
       return new Val(i, TYPE_INT);
       %}

Alarm output looks like:

    Mar 18 14:15:08 ICMP_PTunnel_ID (#1) proxy-start 128.55.8.67 -> 72.9.228.164 -> 131.243.2.11:22

While logging output looks like:

    Mar 18 14:15:08 #1 state-change authentication -> data-forwarding
    Mar 18 14:15:21 #1 state-change ACK-data -> close-session
    Mar 18 14:15:21 #1 close-session client sent: 4268  receive: 73009
    Mar 18 14:15:21 #1 close-session client sent: 4268  receive: 73009 

Policy can be found here icmp.tunnel.bro(questions)