Bro's Exec Module

Transcript

of the OS. • The command runs in the background with stdout redirecting to stderr. 2

system BIF • Invokes a command via the system function

of the OS. • The command runs in the background with stdout redirecting to stderr. • Bro can’t access the result (output, exit code, etc.) 2

Integration • Block a malicious IP, create an incident, send

to SEM. 3

Integration • Block a malicious IP, create an incident, send

to SEM. • CMU’s Bro cluster has: 46 workers, 6 proxies, 1 manager... and 1 Barnyard node. 3

Review: Input Framework ##! The input framework provides a way

to ##! read previously stored data either as ##! an event stream or into a bro table. 4

Review: Input Framework ##! The input framework provides a way

to ##! read previously stored data either as ##! an event stream or into a bro table. 4 • Readers: • SQLite • ASCII • Binary • Intel Framework

The Exec Module 5 base/utils/exec.bro: module Exec; export {

## Function for running command line ## programs and getting output. global run: function(cmd: Command): Result; }

Exec: Command 6

Exec: Command 6 type Command: record { ## The

command line to execute. cmd: string; ## Provide standard in to the program. stdin: string &default=""; ## If additional files are required to be ## read in as part of the output of the ## command, they can be defined here. read_files: set[string] &optional; ## The unique id for tracking executors. uid: string &default=unique_id(""); };

Exec: Command 6 type Command: record { ## The

Exec: Result 7

Exec: Result type Result: record { 7

Exec: Result type Result: record { ## Exit code

from the program. exit_code: count &default=0; 7

Exec: Result type Result: record { ## Exit code

from the program. exit_code: count &default=0; ## Was the command terminated with a signal? signal_exit: bool &default=F; 7

Exec: Result type Result: record { ## Exit code

from the program. exit_code: count &default=0; ## Was the command terminated with a signal? signal_exit: bool &default=F; ## Each line of standard out. stdout: vector of string &optional; 7

Exec: Result type Result: record { ## Exit code

from the program. exit_code: count &default=0; ## Was the command terminated with a signal? signal_exit: bool &default=F; ## Each line of standard out. stdout: vector of string &optional; ## Each line of standard error. stderr: vector of string &optional; 7

Exec: Result type Result: record { ## Exit code

from the program. exit_code: count &default=0; ## Was the command terminated with a signal? signal_exit: bool &default=F; ## Each line of standard out. stdout: vector of string &optional; ## Each line of standard error. stderr: vector of string &optional; ## If additional files were requested to be ## read, the content of those files. files: table[string] of string_vec &optional; }; 7

8 Exec: Example @load base/utils/exec when ( local result =

Exec::run([$cmd="ls /tmp"]) ) print result;

8 Exec: Example @load base/utils/exec when ( local result =

Exec::run([$cmd="ls /tmp"]) ) print result; vladg@grotto tmp % bro exec.bro [exit_code=0, signal_exit=F, stdout=[gpg-‐CqkLNc, ssh-‐PwEdfvWB1673], stderr=<uninitialized>, files=<uninitialized>] vladg@grotto tmp % ls /tmp gpg-‐CqkLNc ssh-‐PwEdfvWB1673

9 Exec: Standalone Example @load policy/frameworks/communication/listen @load base/utils/exec when (

local result = Exec::run([$cmd="ls /tmp"]) ) { print result; terminate(); }

Integration • Previously been able to block IPs, create tickets,

etc. • We can now verify our blocks, see how long until the block took effect. • We can add a ﬁeld to notice.log with the ticket number. 10

Informing Notice Actions • Check our ticket system to see

if this host has a history of notiﬁcations/ suspensions. • Check LDAP to see if the user is a student or a faculty member. • Check Identity Finder to see if the system has PII. 11

Offensive Defense 12

Offensive Defense 12 @load base/utils/exec @load policy/protocols/conn/known-‐services event log_known_services(rec: Known::ServicesInfo)

{ if ( rec$port_num != 3389/tcp ) return; local cmd = "/opt/nessus/bin/nasl -‐t %s " + "/opt/nessus/lib/nessus/plugins/ms12-‐020.nbin"; when ( local result = Exec::run([$cmd=fmt(cmd, rec$host)]) ) { for ( i in result$stdout ) { if ( /Success/ in result$stdout[i] ) print fmt("%s is vulnerable to MS12-‐020", rec$host); } } }

Offensive Defense 12 @load base/utils/exec @load policy/protocols/conn/known-‐services event log_known_services(rec: Known::ServicesInfo)

Emerging Malware • Team Cymru Malware Hash Registry out of

the box 13

Emerging Malware • Team Cymru Malware Hash Registry out of

the box • What about fresh malware? 13

Emerging Malware • Team Cymru Malware Hash Registry out of

the box • What about fresh malware? • Other ﬁles? PDFs, JARs, etc. 13

14 To the Blogosphere!

@load base/utils/exec @load policy/frameworks/files/hash-‐all-‐files event file_hash(f: fa_file, kind: string, hash:

string) { if ( kind != "md5" ) return; local url = "https://www.google.com/search\?tbm\=blg\&q\=%s"; local user_agent = "\"Mozilla/5.0 (Macintosh; Intel Mac... ”; local strip_crud = " 2> /dev/null | tidy | grep ..."; local cmd = "curl -‐s " + fmt(url, hash) + " -‐A" + user_agent + strip_crud ; when ( local results = Exec::run([$cmd=cmd]) ) { for ( i in result$stdout ) { if ( /[mM]alware/ in result$stdout[i] ) print “Danger, danger!”; } } 14 To the Blogosphere!

@load base/utils/exec @load policy/frameworks/files/hash-‐all-‐files event file_hash(f: fa_file, kind: string, hash:

Protip: str_shell_escape ## Takes a string and escapes characters

## that would allow execution of ## commands at the shell level. ## ## Escapes: `, “ , \\, $ function str_shell_escape(source: string): string 15

Friends of Exec - ActiveHTTP 16

Friends of Exec - ActiveHTTP A module for performing HTTP

requests and getting the reply. global request: function(req: ActiveHTTP::Request): ActiveHTTP::Response; Request: url, method, client_data, max_time, addl_curl_args Response: code, msg, body, headers 16

Friends of Exec - ActiveHTTP A module for performing HTTP

17 Friends of Exec: Dir

17 Friends of Exec: Dir Register a directory to monitor

with a callback that is called every time a previously unseen ﬁle is seen. global monitor: function( dir: string, callback: function(fname: string), poll_interval: interval );

17 Friends of Exec: Dir Register a directory to monitor

with a callback that is called every time a previously unseen ﬁle is seen. global monitor: function( dir: string, callback: function(fname: string), poll_interval: interval );

Fun with Bro! 18

19 Fun with Bro!

Someone sent their credentials over plaintext HTTP? See if those

creds work to SSH into their system! 19 Fun with Bro!

Someone sent their credentials over plaintext HTTP? See if those

creds work to SSH into their system! Someone ran Windows Updates! Send them a pizza. (github.com/coryarcangel/Pizza- Party-0.1.b) 19 Fun with Bro!

Someone sent their credentials over plaintext HTTP? See if those

creds work to SSH into their system! Someone ran Windows Updates! Send them a pizza. (github.com/coryarcangel/Pizza- Party-0.1.b) Have Bro make phone calls. “Is your open recursive DNS server running?” 19 Fun with Bro!

Someone sent their credentials over plaintext HTTP? See if those

creds work to SSH into their system! Someone ran Windows Updates! Send them a pizza. (github.com/coryarcangel/Pizza- Party-0.1.b) Have Bro make phone calls. “Is your open recursive DNS server running?” > net send win2k The 21st century called... 19 Fun with Bro!

Bro's Exec Module

Bro's Exec Module

More Decks by Vlad Grigorescu

Other Decks in Programming

Featured

Transcript