What is a Bro log? Justin Azoff. Aug 26, 2014



Similar documents
The Bro Monitoring Platform

Introduction. Background

The Bro Monitoring Platform

The Bro Monitoring Platform

dns.log DNS query/response details

100G Network Monitoring with Bro and Time Machine

Firewalls. Chapter 3

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

How to Login Username Password:

The Bro Network Security Monitor. Broverview

Firewalls, IDS and IPS

Tenable for CyberArk

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

A Bro Walk-Through. Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Discover the best keywords for your online marketing campaign

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Analytics Canvas Tutorial: Cleaning Website Referral Traffic Data. N m o d a l S o l u t i o n s I n c. A l l R i g h t s R e s e r v e d

Novell ZENworks Asset Management 7.5

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

How to Configure Captive Portal

LifeSize UVC Video Center Deployment Guide

EXPLORER. TFT Filter CONFIGURATION

Deploying the BIG-IP System with Oracle E-Business Suite 11i

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Volume SYSLOG JUNCTION. User s Guide. User s Guide

ClickDimensions Quick Start Guide For Microsoft Dynamics CRM /1/2011 ClickDimensions

Multi-Homing Dual WAN Firewall Router

Monitoring System Status

Network Technologies

Send TLM. Table of contents

May 09, Creating live broadcast with Kaltura Complete guide

COMP 112 Assignment 1: HTTP Servers

Dynamic DNS How-To Guide

F-Secure Messaging Security Gateway. Deployment Guide

Deployment Guide A10 Networks/Infoblox Joint DNS64 and NAT64 Solution

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

kalmstrom.com Business Solutions

XMS Quick Start Guide

SecuraLive ULTIMATE SECURITY

USER GUIDE. Snow Inventory Client for Unix Version Release date Document date

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007

Application Monitoring using SNMPc 7.0

Configuration Manual

HIPAA Compliance Use Case

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

Grow your Business with our advanced Call Tracking services

1 Functionalities of iq.suite Update Manager Installation New Installation Update Installation Configuration...

UQC103S1 UFCE Systems Development. uqc103s/ufce PHP-mySQL 1

Using WhatsUp IP Address Manager 1.0

The Bro Network Security Monitor. Broverview. Bro Workshop NCSA, Urbana-Champaign, IL. Bro Workshop 2011

Yandex: Webmaster Tools Overview and Guidelines

Configuring Web services

Oracle Managed File Getting Started - Transfer FTP Server to File Table of Contents

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

LANGuardian Integration Guide

FTP, IIS, and Firewall Reference and Troubleshooting

Urchin Demo (12/14/05)

How To Let A Lecturer Know If Someone Is At A Lecture Or If They Are At A Guesthouse

SnapLogic Tutorials Document Release: October 2013 SnapLogic, Inc. 2 West 5th Ave, Fourth Floor San Mateo, California U.S.A.

DDNS Management System User Manual V1.0

How to Configure edgebox as a Web Server

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

IceWarp to IceWarp Server Migration

Hosted VoIP Phone System. Admin Portal User Guide for. Call Center Administration

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Chapter 6 Virtual Private Networking Using SSL Connections

emerge 50P emerge 5000P

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

The Power Loader GUI

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Preventing credit card numbers from escaping your network

SysPatrol - Server Security Monitor

Connecting With Lifesize Cloud

Quick Start Guide. Installation and Setup

exacqvision IP Camera Quickstart Guide

Preparing for GO!Enterprise MDM On-Demand Service

OCS Training Workshop LAB14. Setup

Sonian Getting Started Guide October 2008

Name Services (DNS): This is Quick rule will enable the Domain Name Services on the firewall.

Copyright 2013 Trend Micro Incorporated. All rights reserved.

Using LDAP Authentication in a PowerCenter Domain

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document)

DiskPulse DISK CHANGE MONITOR

Big Fish ecommerce. BF Import Mapping.doc

Using your Drupal Website Book 1 - Drupal Basics

Configuring H.323 over Port Network Address Translation (PNAT) for Avaya IP Endpoints using the Avaya SG200 Security Gateway - Issue 1.

Mac OS X. Staff members using NEIU issued laptops and computers on Active Directory can access NEIU resources that are available on the wired network.

Microsoft Outlook 2010

LEARNING MANAGEMENT SYSTEM MANAGER GUIDE

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

WildFire Features. Palo Alto Networks. PAN-OS New Features Guide Version 6.1. Copyright Palo Alto Networks

Configuring Logging. Information About Logging CHAPTER

Transcription:

What is a Bro log? Justin Azoff Aug 26, 2014

What is a Bro log? A Bro log is a stream of high level entries that correspond to network events. A file downloaded via HTTP An email sent using SMTP A login over SSH

Not log, but logs. Bro does not have a single alert type log. Instead each kind of event stream has a dedicated file with it s own set of fields. Why more than one file? The SMTP log has from and subject fields The HTTP log has method and uri fields The from field would not make sense for HTTP, and uri does not make sense for SMTP

How many log files are there? By default, bro will output about two dozen log files, depending on what types of traffic it can see: conn.log dhcp.log dns.log dpd.log files.log http.log intel.log known certs.log known hosts.log known services.log modbus.log notice.log radius.log smtp.log snmp.log socks.log software.log ssh.log ssl.log syslog.log traceroute.log weird.log x509.log

Signal to noise ratio The main way that log files can be categorized is by their size and signal to noise ratio. Some logs files are large and will contain entries that can be either benign or malicious. Other files are smaller and contain more actionable information. 24K known services.log 28K software.log 68K notice.log 311M dns.log 856M conn.log

High signal log files Inventory related log files These log files are updated once per day and inventory your network known hosts.log known services.log known certs.log software.log Other high signal files notice.log - When bro detects something it thinks is exceptional it raises a notice. intel.log - Traffic that matches lists of known bad indicators is logged here.

Aside - Customizing log file contents. Bro makes it easy to take a large log file and filter a subset of the entries to a smaller file with a higher signal to noise ratio. Examples Filtering the http.log to http exe.log Filtering the http.log to http wget.log Filtering the http.log to http java.log Filtering the conn.log to conn cn.log Filtering the ssh.log to ssh non us.log

What exactly does a stream of events look like? The short answer: A CSV file. We can create some log files by starting Bro and running the unix command: curl www.google.com This will request the google home page, but not any of the associated javascript or image files. Bro will write an entry in the http.log describing this event. The http.log contains 27 columns which can be a bit daunting. We can transpose the columns into rows to make this single line from http.log easier to understand

http.log transposed Field Type Value ts time 1408828734.304076 uid string CZceY8wvnES5foJp4 id.orig h addr 192.168.43.222 id.orig p port 65032 id.resp h addr 74.125.226.50 id.resp p port 80 trans depth count 1 method string GET host string www.google.com uri string / referrer string -

http.log transposed Field Type Value user agent string curl/7.30.0 request body len count 0 response body len count 21232 status code count 200 status msg string OK info code count - info msg string - filename string - tags set[enum] (empty)

http.log transposed Field Type Value username string - password string - proxied set[string] - orig fuids vector[string] - orig mime types vector[string] - resp fuids vector[string] FvwPGj436gbcfXpCGf resp mime types vector[string] text/html

Not just http. This one HTTP download caused Bro to write entries to 6 log files: http.log has the above entry dns.log has an entry from the dns query for www.google.com files.log has an entry from the html file that was downloaded conn.log has an entry for both the dns an http connections known hosts.log has an entry for 192.168.43.222 software.log has an entry for an HTTP::BROWSER of curl/7.30.0 seen on 192.168.43.222

known hosts.log transposed Field Type Value ts time 1408828734.303825 host addr 192.168.43.222 192.168.43.222 was seen for the first time at 1408828734.303825

software.log transposed (slightly edited) Field Type Value ts time 1408828734.304076 host addr 192.168.43.222 software type enum HTTP::BROWSER name string curl version.major count 7 version.minor count 30 version.minor2 count 0 unparsed version string curl/7.30.0 curl/7.30.0 was seen for the first time on 192.168.43.222 at 1408828734.304076

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information