SlideShare une entreprise Scribd logo

BSides Charm2017 Arming Small Security Programs-Bropy

Télécharger en tant que PPTX, PDF
M
Matthew Domko

Talk given by Matt Domko at BSidesCharm 2017 Video at https://youtu.be/hz2eAWV54i0 Bropy at https://github.com/hashtagcyber/bropy Complaints @hashtagcyber on the twitter

Formation
1  sur  41
ARMING SMALL SECURITY PROGRAMS: BROPY Arming Small Security Programs BSidesCharm
ARMING SMALL SECURITY PROGRAMS: BROPY Network baseline generation with Bropy Arming Small Security Programs
ARMING SMALL SECURITY PROGRAMS: BROPY • I “borrowed” my employers slide template – Creating .POT files is hard • This is NOT my employers material • TLDR; You can sue me, not my employer Disclaimer
ARMING SMALL SECURITY PROGRAMS: BROPY Matt Domko – Beard Enthusiast – Former: • Parachutist • Enterprise Admin • “Cyber Network Defender” – Instructor at Chiron Technology Services – Started blogging about Blue Team stuff http://goo.gl/uznCag – Brakesec Slack https://brakesec.signup.team – @hashtagcyber About Me
ARMING SMALL SECURITY PROGRAMS: BROPY “Make the world a safer place” {by sharing information} Why I’m here
ARMING SMALL SECURITY PROGRAMS: BROPY • Malicious network activity CAN be identified using signatures… The Problem: Detecting Malicious Network Activity
ARMING SMALL SECURITY PROGRAMS: BROPY The Problem: Detecting Malicious Network Activity
ARMING SMALL SECURITY PROGRAMS: BROPY The Problem: Detecting Malicious Network Activity
ARMING SMALL SECURITY PROGRAMS: BROPY The Problem: Detecting Malicious Network Activity
ARMING SMALL SECURITY PROGRAMS: BROPY • And more signatures…. • Fingerprinting EVERY attack is impossible • Signature based detection is USELESS if a signature does not exist for the attack being performed The Problem: Detecting Malicious Network Activity
ARMING SMALL SECURITY PROGRAMS: BROPY The Initial Idea
ARMING SMALL SECURITY PROGRAMS: BROPY Step 1: Build a network baseline. – Bro? – Netflow? Step 2: Write SNORT rules. – I need alerts for non-standard traffic Step 3: ? – Something … Something … Something… Step 4: Profit! – Or at least spend less time worrying The Initial Idea
ARMING SMALL SECURITY PROGRAMS: BROPY • Administrators face a similar problem with detecting malicious binaries. • Antivirus products initially only used file signatures to identify malware: – Evil Hashes – Ego Strings – Reused code blocks • This eventually failed, as attackers could easily modify malware to avoid signatures faster than they are generated – MSFVenom, Veil-Evasion, Hyperion A Similar Problem: Malicious Binaries
ARMING SMALL SECURITY PROGRAMS: BROPY • Heuristic detection helped, but does it catch everything? – No. (Malware still exists/functions today) • What else can we do? – Enter Application Whitelisting A Similar Problem: Malicious Binaries
ARMING SMALL SECURITY PROGRAMS: BROPY • Application Whitelisting provides ability to: – Log execution of all files except explicitly authorized (whitelist): • File Hashes (tedious) • File Names (poor protection) • Signed Code (Awesome) • Source Directory (simple) – Prevent execution of files that are not in the whitelist. – Prevent execution of explicitly defined files (Blacklisting) A Similar Problem: Malicious Binaries
ARMING SMALL SECURITY PROGRAMS: BROPY 1. Start with an empty whitelist 2. Apply a policy to log everything not in whitelist 3. Use logs to generate a whitelist 4. Modify policy to block everything not in whitelist 5. Review new logs • Investigate blocked files • Update whitelist as needed Simple Application Whitelisting Implementation
ARMING SMALL SECURITY PROGRAMS: BROPY • The same concept can be applied to network activity: – Start with an empty whitelist – Apply a policy to log all traffic not in the whitelist – Use logs to update the whitelist – Review new logs • Investigate new ports/hosts • Update whitelist as needed Malicious Network Activity : Anomaly Detection
ARMING SMALL SECURITY PROGRAMS: BROPY • Get data for my whitelist? – Bro. • Create a policy to log traffic? – Bro scripts • Create logs from new traffic? – Bro scripts • Review new logs? – ELSA • Last question… Can you tell me more about Bro? But Matt, How Do I <do thing>?
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro in 30 Seconds – Much more than an IDS – Logs multiple layers of traffic – “Packet String” – Similar to NETFLOW – Plugins/Scripts – Interpret Data – Take action – Logs are small • Allows for longer retention than PCAP – Open Source, Built-in to Security Onion Gathering Data with Bro
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Data Formatting – Tab Separated table – Headers at top – Common Fields: • Timestamp (ts) • Connection ID (uid) • IP Source (id.orig_h) • Source Port (id.orig_p) • IP Destination (id.resp_h) • Dest Port (id.resp_p) Gathering Data with Bro
ARMING SMALL SECURITY PROGRAMS: BROPY • Logs are simple to parse …. programmatically Gathering Data with Bro
ARMING SMALL SECURITY PROGRAMS: BROPY • Humans should use ELSA, Splunk, etc… Gathering Data with Bro
ARMING SMALL SECURITY PROGRAMS: BROPY • Key Directories: – /nsm/bro/logs/current • notice.log • conn.log • weird.log – /opt/bro/share/bro/policy • Contains scripts loaded by Bro – /opt/bro/share/bro/site/local.bro • Add path to custom scripts to this file to load when bro starts Gathering Data with Bro
ARMING SMALL SECURITY PROGRAMS: BROPY “The best way to learn to write Bro scripts, is to write Bro scripts” – Seth Hall, SecurityOnion Conference 2015 Bro Scripts
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; };
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; #Create a list
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; event bro_init() { #Do stuff when Bro loads
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; print fmt ("There are %d in the list.", |myports|); #Format string # |var| gets length of list
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; event new_connection(c:connection) { # Do the thing in curley braces when Bro detects a new connection
ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; if (c$id$resp_p in myports) { #If the destination port (c$id$resp_p) is in the list, do the thing in curley brackets
ARMING SMALL SECURITY PROGRAMS: BROPY Baselinereport.bro ::Pseudocode 1. Load table (baseline.data) 2. Check every new connection: – Is the destination on the baselined subnet? • If so, is it in the baseline? – If it’s in the baseline, is the source address allowed to use that port? 3. Log any “No’s” Something a little more useful…
ARMING SMALL SECURITY PROGRAMS: BROPY 1. git clone https://github.com/hashtagcyber/baseliner.git 2. Edit line 32 of baselinereport.bro, replace with a comma separated list of subnets 3. Copy both files to /opt/bro/share/bro/policy/misc 4. Add “@load misc/baselinereport” to /opt/bro/share/bro/site/local.bro 5. Restart Bro Installing Baselinereport.bro
ARMING SMALL SECURITY PROGRAMS: BROPY • Useful search terms: – Show all notice’s generated by baselinereport • class=BRO_NOTICE "-" notice_type="TrafficBaselineException“ – Show all connections to an IP, grouped by destination port • BRO_CONN.dstip=156.22.10.10 groupby:dstport – Show all connection to an IP/Port pair grouped by source IP • BRO_CONN.dstip=156.22.10.10 BRO_CONN.dstport=445 groupby:srcip ELSA Demo
ARMING SMALL SECURITY PROGRAMS: BROPY Updating Baseline w/ ELSa & VI
ARMING SMALL SECURITY PROGRAMS: BROPY • That sounds like a lot of work… But ….
ARMING SMALL SECURITY PROGRAMS: BROPY • Written in Python • Installs baselinereport.bro script • Parses notice.log • Generates network baseline automatically • Simple Yes/No interface Bropy
ARMING SMALL SECURITY PROGRAMS: BROPY Scenario Network
ARMING SMALL SECURITY PROGRAMS: BROPY • Demo Time Bropy
ARMING SMALL SECURITY PROGRAMS: BROPY 1. git clone https://github.com/hashtagcyber/bropy 2. cd bropy 3. sudo ./bropy.py – Select option 3 to install • Enter the subnet and CIDR that you would like to monitor • Example: 156.22.10.0/24 4. Select Y to restart Bro 5. Wait for logs to be generated…. 6. sudo ./bropy.py – Select option 1 to “Auto Baseline” – Select option 2 for Y/N prompting Bropy on SecurityOnion
ARMING SMALL SECURITY PROGRAMS: BROPY • Generate a list of every port/protocol critical hosts receive connections on • Receive alerts when non-standard connections are detected • Baseline data can be used to generate firewall lists Use Case
ARMING SMALL SECURITY PROGRAMS: BROPY Questions?

Recommandé

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 

Recommandé

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University of Engineering & Technology, Jamshoro
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 

Contenu connexe

Dernier

General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 

Dernier (20)

General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 

En vedette

How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming LanguageSimplilearn
 

En vedette (20)

How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
 

BSides Charm2017 Arming Small Security Programs-Bropy

  • 1. ARMING SMALL SECURITY PROGRAMS: BROPY Arming Small Security Programs BSidesCharm
  • 2. ARMING SMALL SECURITY PROGRAMS: BROPY Network baseline generation with Bropy Arming Small Security Programs
  • 3. ARMING SMALL SECURITY PROGRAMS: BROPY • I “borrowed” my employers slide template – Creating .POT files is hard • This is NOT my employers material • TLDR; You can sue me, not my employer Disclaimer
  • 4. ARMING SMALL SECURITY PROGRAMS: BROPY Matt Domko – Beard Enthusiast – Former: • Parachutist • Enterprise Admin • “Cyber Network Defender” – Instructor at Chiron Technology Services – Started blogging about Blue Team stuff http://goo.gl/uznCag – Brakesec Slack https://brakesec.signup.team – @hashtagcyber About Me
  • 5. ARMING SMALL SECURITY PROGRAMS: BROPY “Make the world a safer place” {by sharing information} Why I’m here
  • 6. ARMING SMALL SECURITY PROGRAMS: BROPY • Malicious network activity CAN be identified using signatures… The Problem: Detecting Malicious Network Activity
  • 7. ARMING SMALL SECURITY PROGRAMS: BROPY The Problem: Detecting Malicious Network Activity
  • 8. ARMING SMALL SECURITY PROGRAMS: BROPY The Problem: Detecting Malicious Network Activity
  • 9. ARMING SMALL SECURITY PROGRAMS: BROPY The Problem: Detecting Malicious Network Activity
  • 10. ARMING SMALL SECURITY PROGRAMS: BROPY • And more signatures…. • Fingerprinting EVERY attack is impossible • Signature based detection is USELESS if a signature does not exist for the attack being performed The Problem: Detecting Malicious Network Activity
  • 11. ARMING SMALL SECURITY PROGRAMS: BROPY The Initial Idea
  • 12. ARMING SMALL SECURITY PROGRAMS: BROPY Step 1: Build a network baseline. – Bro? – Netflow? Step 2: Write SNORT rules. – I need alerts for non-standard traffic Step 3: ? – Something … Something … Something… Step 4: Profit! – Or at least spend less time worrying The Initial Idea
  • 13. ARMING SMALL SECURITY PROGRAMS: BROPY • Administrators face a similar problem with detecting malicious binaries. • Antivirus products initially only used file signatures to identify malware: – Evil Hashes – Ego Strings – Reused code blocks • This eventually failed, as attackers could easily modify malware to avoid signatures faster than they are generated – MSFVenom, Veil-Evasion, Hyperion A Similar Problem: Malicious Binaries
  • 14. ARMING SMALL SECURITY PROGRAMS: BROPY • Heuristic detection helped, but does it catch everything? – No. (Malware still exists/functions today) • What else can we do? – Enter Application Whitelisting A Similar Problem: Malicious Binaries
  • 15. ARMING SMALL SECURITY PROGRAMS: BROPY • Application Whitelisting provides ability to: – Log execution of all files except explicitly authorized (whitelist): • File Hashes (tedious) • File Names (poor protection) • Signed Code (Awesome) • Source Directory (simple) – Prevent execution of files that are not in the whitelist. – Prevent execution of explicitly defined files (Blacklisting) A Similar Problem: Malicious Binaries
  • 16. ARMING SMALL SECURITY PROGRAMS: BROPY 1. Start with an empty whitelist 2. Apply a policy to log everything not in whitelist 3. Use logs to generate a whitelist 4. Modify policy to block everything not in whitelist 5. Review new logs • Investigate blocked files • Update whitelist as needed Simple Application Whitelisting Implementation
  • 17. ARMING SMALL SECURITY PROGRAMS: BROPY • The same concept can be applied to network activity: – Start with an empty whitelist – Apply a policy to log all traffic not in the whitelist – Use logs to update the whitelist – Review new logs • Investigate new ports/hosts • Update whitelist as needed Malicious Network Activity : Anomaly Detection
  • 18. ARMING SMALL SECURITY PROGRAMS: BROPY • Get data for my whitelist? – Bro. • Create a policy to log traffic? – Bro scripts • Create logs from new traffic? – Bro scripts • Review new logs? – ELSA • Last question… Can you tell me more about Bro? But Matt, How Do I <do thing>?
  • 19. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro in 30 Seconds – Much more than an IDS – Logs multiple layers of traffic – “Packet String” – Similar to NETFLOW – Plugins/Scripts – Interpret Data – Take action – Logs are small • Allows for longer retention than PCAP – Open Source, Built-in to Security Onion Gathering Data with Bro
  • 20. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Data Formatting – Tab Separated table – Headers at top – Common Fields: • Timestamp (ts) • Connection ID (uid) • IP Source (id.orig_h) • Source Port (id.orig_p) • IP Destination (id.resp_h) • Dest Port (id.resp_p) Gathering Data with Bro
  • 21. ARMING SMALL SECURITY PROGRAMS: BROPY • Logs are simple to parse …. programmatically Gathering Data with Bro
  • 22. ARMING SMALL SECURITY PROGRAMS: BROPY • Humans should use ELSA, Splunk, etc… Gathering Data with Bro
  • 23. ARMING SMALL SECURITY PROGRAMS: BROPY • Key Directories: – /nsm/bro/logs/current • notice.log • conn.log • weird.log – /opt/bro/share/bro/policy • Contains scripts loaded by Bro – /opt/bro/share/bro/site/local.bro • Add path to custom scripts to this file to load when bro starts Gathering Data with Bro
  • 24. ARMING SMALL SECURITY PROGRAMS: BROPY “The best way to learn to write Bro scripts, is to write Bro scripts” – Seth Hall, SecurityOnion Conference 2015 Bro Scripts
  • 25. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; };
  • 26. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; #Create a list
  • 27. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; event bro_init() { #Do stuff when Bro loads
  • 28. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; print fmt ("There are %d in the list.", |myports|); #Format string # |var| gets length of list
  • 29. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; event new_connection(c:connection) { # Do the thing in curley braces when Bro detects a new connection
  • 30. ARMING SMALL SECURITY PROGRAMS: BROPY • Bro Scripting Bro Scripts owner@onion:~/simple$ cat simple.bro global myports: set[port] = {21/tcp, 22/tcp, 0/icmp}; event bro_init() { print "Lets print myports."; print fmt ("There are %d in the list.", |myports|); for (x in myports) print x; } event new_connection(c:connection) { if (c$id$resp_p in myports) { print fmt("Port %s connection detected", c$id$resp_p); }; }; if (c$id$resp_p in myports) { #If the destination port (c$id$resp_p) is in the list, do the thing in curley brackets
  • 31. ARMING SMALL SECURITY PROGRAMS: BROPY Baselinereport.bro ::Pseudocode 1. Load table (baseline.data) 2. Check every new connection: – Is the destination on the baselined subnet? • If so, is it in the baseline? – If it’s in the baseline, is the source address allowed to use that port? 3. Log any “No’s” Something a little more useful…
  • 32. ARMING SMALL SECURITY PROGRAMS: BROPY 1. git clone https://github.com/hashtagcyber/baseliner.git 2. Edit line 32 of baselinereport.bro, replace with a comma separated list of subnets 3. Copy both files to /opt/bro/share/bro/policy/misc 4. Add “@load misc/baselinereport” to /opt/bro/share/bro/site/local.bro 5. Restart Bro Installing Baselinereport.bro
  • 33. ARMING SMALL SECURITY PROGRAMS: BROPY • Useful search terms: – Show all notice’s generated by baselinereport • class=BRO_NOTICE "-" notice_type="TrafficBaselineException“ – Show all connections to an IP, grouped by destination port • BRO_CONN.dstip=156.22.10.10 groupby:dstport – Show all connection to an IP/Port pair grouped by source IP • BRO_CONN.dstip=156.22.10.10 BRO_CONN.dstport=445 groupby:srcip ELSA Demo
  • 34. ARMING SMALL SECURITY PROGRAMS: BROPY Updating Baseline w/ ELSa & VI
  • 35. ARMING SMALL SECURITY PROGRAMS: BROPY • That sounds like a lot of work… But ….
  • 36. ARMING SMALL SECURITY PROGRAMS: BROPY • Written in Python • Installs baselinereport.bro script • Parses notice.log • Generates network baseline automatically • Simple Yes/No interface Bropy
  • 37. ARMING SMALL SECURITY PROGRAMS: BROPY Scenario Network
  • 38. ARMING SMALL SECURITY PROGRAMS: BROPY • Demo Time Bropy
  • 39. ARMING SMALL SECURITY PROGRAMS: BROPY 1. git clone https://github.com/hashtagcyber/bropy 2. cd bropy 3. sudo ./bropy.py – Select option 3 to install • Enter the subnet and CIDR that you would like to monitor • Example: 156.22.10.0/24 4. Select Y to restart Bro 5. Wait for logs to be generated…. 6. sudo ./bropy.py – Select option 1 to “Auto Baseline” – Select option 2 for Y/N prompting Bropy on SecurityOnion
  • 40. ARMING SMALL SECURITY PROGRAMS: BROPY • Generate a list of every port/protocol critical hosts receive connections on • Receive alerts when non-standard connections are detected • Baseline data can be used to generate firewall lists Use Case
  • 41. ARMING SMALL SECURITY PROGRAMS: BROPY Questions?