BRO AND BRO-IDS File Extraction HTTP, FTP, SMTP, IRC

Presented by Liam Randall 2013-2-25

ABOUT ME History  17 Years Consulting (1995)  BS in CS from XU  Dozens of Vender Certs  Speak/Train- Shmoocon, Skydogcon  “Applied NSM” Summer of 2013  Bro-IDS  SecurityOnion  [email protected]  @Hectaman Twitter/IRC

LINKS

Github github/liamrandall

#Bro_IDS @Hectaman @Bro_IDS

http://bro-ids.org

PRESENTATION OVERVIEW

Bro Features Feature Overview

How To

Demonstrations

Protocol Settings

HTTP

Background Log & Event Structure

Code Mods

Mime Types

PROTOCOLS Why File Extraction + Archive by type + Further Analysis + ??? Detection

HTTP

SMTP

FTP

IRC

FOLLOW ALONG Documentation http://www.bro-ids.org/documentation/quickstart.html

DIRECTORY STRUCTURE ftp bin misc

http

protocols

irc

frameworks

smtp

utils



etc

Include

base

lib

share

broctl

bro

policy

securityonion

site

BASE/PROTOCOLS/HTTP file-extract.bro file-hash.bro file-ident.bro http

file-ident.sig __load__.bro main.bro utils.bro

@load @load @load @load @load

./main ./utils ./file-ident ./file-hash ./file-extract

FILE EXTRACTION file-extract.bro file-hash.bro

http

.. export { ## Pattern of file mime types to extract const extract_file_types = /NO_DEFAULT/ &redef;

file-ident.bro

## on-disk prefix for files to be extracted from HTTP const extraction_prefix = "http-item" &redef;

file-ident.sig

redef record Info += { ## On-disk file where the response body was extracted to. extraction_file: file &log &optional;

__load__.bro main.bro utils.bro

## Indicates if the response body extracted or not extract_file: bool &default=F; }; } ..

CONST &REDEF file-extract.bro file-hash.bro

http

.. export { ## Pattern of file mime types to extract const extract_file_types = /NO_DEFAULT/ &redef;

file-ident.bro

## on-disk prefix for files to be extracted from HTTP const extraction_prefix = "http-item" &redef;

file-ident.sig

redef record Info += { ## On-disk file where the response body was extracted to. extraction_file: file &log &optional;

__load__.bro main.bro utils.bro

## Indicates if the response body extracted or not extract_file: bool &default=F; }; } ..

HTTP MIME TYPES ftp bin misc

http

protocols

irc

frameworks

smtp

utils



etc

Include

base

lib

share

broctl

bro

policy

securityonion

site

redef HTTP::extract_file_types = /application\/.*/;

OTHER MIME TYPES ftp bin misc

http

protocols

irc

frameworks

smtp

utils



etc

Include

base

lib

share

broctl

bro

policy

securityonion

site

redef HTTP::extract_file_types = /application\/.*/; redef SMTP::extract_file_types = /application\/.*/; redef FTP::extract_file_types = /application\/.*/; redef IRC::extract_file_types = /application\/.*/;

TO DO http://www.freeformatter.com/mime-types-list.html  Pro’s & Con’s to various Mime Type Extractions  What other types of things can be redefined?

BRO AND BRO-IDS - GitHub

Feb 25, 2013 - DIRECTORY STRUCTURE bin etc. Include lib share bro base misc protocols ftp http irc smtp … frameworks utils broctl policy securityonion site ...
Download PDF
205KB Sizes 3 Downloads 246 Views
Report

Recommend Documents

BRO AND BRO-IDS - GitHub
Feb 17, 2013 - Larger Data Pipes; 10 x10 Gbps. Variety of Traffic. ISPs, Multinationals .... A vulnerable version of software was detected: Safari 4.0.0-Mobile ..... The compromised companies are not the final target. ... july-2012_itl-bulletin.pdf.
Bro Network Programming Language & Bro-ids v2.1 - GitHub
HTTPS. SMTP. POP/IMAP. SSL/TLS. VPN. SIP. (DTLS). SSL/TLS USE CASES. + Credit Checks. + Authorization and Accounting. + Supply Chain Management. + e-Commerce. + Marketing. Widespread ...
bro doi.pdf
Apartment Amenities. Furniture: o Wardrobe. o Desk. o Dressing table. o TV table. o The Book shelves. o Spring Box bed. Safety Features: o Key card system.
The Bro Code.pdf
One Bro makes a solo attack. A Second Bro provides a crutch,. A third Bro rounds out the pack,. But a fourth Bro is one too much. Article 3. A fellow Bro's sister is ...
SSNNL Bro - ENGLISH new final
India is invaluable truly making him the 'Son of the Soil'. ... India cannot simply afford to fade away into pages of history. To keep ... FIVE TIMES THE HEIGHT OF.
SSNNL Bro - ENGLISH new final
THE ARCHITECT. UNITED INDIA. OF A MODERN. He was the man who saw through the diabolical strategy of the British and through his diplomacy and.
Ad Rate Bro 2007 - The Avatar Course
força de vontade, agora você pode. Em outras palavras, dentro do domínio de realidade que você está experienciando, você se moveu para um nível mais alto de fonte criadora. Você adquiriu ou recuperou uma habilidade maior de viver deliberadame
Clojure and Android - GitHub
Improving the Clojure/Android experience. Closing thoughts. Page 5. Clojure and. Android. Daniel Solano. Gómez. Android and the. Dalvik VM ... Page 10 ...
Categories and Haskell - GitHub
This is often summarized as a side-effect free function. More generally ... The composition g ◦ f is only defined on arrows f and g if the domain of g is equal to the codomain of f. ...... http://files.meetup.com/3866232/foldListProduct.pdf ... Pag
The bro code barney stinson.pdf
... of the apps below to open or edit this item. The bro code barney stinson.pdf. The bro code barney stinson.pdf. Open. Extract. Open with. Sign In. Main menu.
Explore and Challenge - GitHub
Select the Variables tab and add a new variable by pressing the "Make a variable" button, call it Score and set it to be For all sprites. We will also need to create a list to hold our sequence of lights, we will call it GameList: Press the "Make a l
stack and heap - GitHub
class Tetromino : public cocos2d::Node. { public: static Tetromino* createWithType(TetrominoType type); void rotate(bool right); int getHeightInBlocks() const;.
Explore and Challenge - GitHub
Explore and Challenge Scratch GPIO: Pi-Stop Traffic Sequence - Create your own ... Once you have started the Raspberry Pi desktop, open Scratch using the ...
Hardware and Representation - GitHub
E.g. CPU can access rows in one module, hard disk / another CPU access row in ... (b) Data Bus: bidirectional, sends a word from CPU to main memory or.
Explore and Challenge - GitHub
WORKSHEET: Tick the checkbox marked "I've created the Pi-Stop STOP and GO sequences". The Final Program - Changing Lights. At the moment our program ...
Posters and LATEX - GitHub
Aug 23, 2011 - and there is even another website, which uses this document class and TikZ ... 1The URL is http://theoval.cmp.uea.ac.uk/~nlct/latex/posters/index.html ... and Thomas Deselaers have created the beamerposter package, which ...
Environment and Safety - GitHub
Jul 18, 2014 - ... the analysis identifying key 'global leverage points' that offers the best ... atmosphere is a complex natural system that is essential to support ...
Explore and Challenge - GitHub
Open Scratch GPIO from the desktop using the Scratch GPIO icon (we do not need the ... This is where you build your scripts by locking various blocks together.
with ZeroMQ and gevent - GitHub
Normally, the networking of distributed systems is ... Service Oriented .... while True: msg = socket.recv() print "Received", msg socket.send(msg). 1. 2. 3. 4. 5. 6. 7.
Heterogeneous variances and weighting - GitHub
Page 1. Heterogeneous variances and weighting. Facundo Muñoz. 2017-04-14 breedR version: 0.12.1. Contents. Using weights. 1. Estimating residual ...
ATA Dishes and Beamshapes - GitHub
ATA Dishes and. Beamshapes. Peter K. G. Williams • [email protected]. 3GC-II • Algarve, Portugal • 2011 Sep 27 ...
STRUCTURE and Problem #2 - GitHub
Feb 7, 2017 - Uses multi-locus genotype data to investigate population ... the data betwee successive K values ... For this project, analyzing Fst outlier loci.