BSidesCharm -2017 -Arming Small Security Programs: Network Baseline Generation and Alerts with Bropy

now i can't get microphone to work nicely okay there we go all right everybody welcome sorry about that uh so my name is oh i have to do my disclaimer first i stole my company's slideshow template i did not steal their material if i say something crazy sue matt domco not my company okay cool uh so my name's matt domco uh i used to be a professional powerpoint slide developer and presenter uh that's not true obviously uh but i was in the army for about 10 years um loved what i did jumped out of airplanes for the first nine did enterprise admin kind of stuff and then the last two i moved down to uh

to fort gordon it was a in the cyber protection brigade that they have down there uh it was really cool because you got to get exposed to lots of different networks and a lot the way that you do things in your organization might be completely different from another organization so being on the team that i was on i got to see many different organizations and many different attempts at uh security it was really cool uh i teach uh blue teami stuff for my company i hang out on slack a lot and twitter so if you have any questions about the stuff that i talk about that's where i pretty much live so at hashtag cyber

uh oh this is a different version of my slats but that's okay uh so why am i here uh whenever i was in the army uh one of the things that we had to do all the time and it took the longest amount of time was sit down and make a list of every single port and protocol that a system used right has anybody ever done like a ppsm document before it's so much fun right it's like woo i love doing no i hate it uh and so i would spend like hours in excel and write crazy formulas and still it was it was not fun at all so i kind of sat down and i was like how

can i do this better uh i i wrote a tool to do it and i was like this is going to make my life super super easy right as far as that goes so i figured out how can i make this list and i made the list but then i got to thinking i was like well can i use this to detect malicious activity is that is that something that i can do and so the problem right uh identifying malicious activity on the network so we can do it using signatures right everybody's heard of snort or circada right it's a thing so we have signatures uh this is what they look like and that's what they look like

and that's what they look like that's what they look like uh all in all with just a default install of security engine you end up with about 21 000 rules just by default that's not even pulling updates just out of the box 21 000 signatures so this kind of points at itself right the problem is with signature-based detection you can't create a signature for everything if you don't know that someone is throwing ms 1834 right now because it's the year 2017. uh you can't have a signature for it so it doesn't protect you as well as we would like to as well as we would like it to do so uh what do we do

my idea after i came up with that little tool to write my ppsms i was like i got this here's what i can do to do anomaly based alerts for super cheap because we're the government so we're super poor right that's the way that that is uh so this was this was the the initial idea uh build a network baseline write some rules in snort that'll alert when something is not in my baseline what happens i didn't really know how exactly to do it but that's what i was gonna do uh so i wrote it down i was like okay i'm gonna do this and after i finish i'm gonna put in for a talk and it's gonna

be great so the problem was i said i'm gonna do it this way with snort and i ended up with about 800 lines of snort rules saying if not this if not this if not life was super hard so i kind of threw that in the trash and then i thought well how else do we detect malicious things uh what's a similar problem that we have to take a look at malicious binaries right finding malware on systems it's been a thing for a very very long time now right so initially how did mcafee 1.0 detect uh back orifice well first of all it probably didn't right but but it looked for signatures and it was looking for bad hashes ego

strings something to fingerprint uh that file and it would find it and be like hey this is this is bad you don't want this i know you downloaded it from your aol instant messenger but you don't want to run this program the problem with signature detection specifically for binaries is how many tools do we have right now that can take a piece of malware and obfuscate it right so we've got veil evasion we've got hyperion msf venom even for a little while right well still sometimes it's pretty cool on those days when you see a mess of phenom work in 2017 it makes your your heart get big but uh but there's lots of tools that we

can use to evade psps so yeah signature-based detection it's not useless it helps but it's not going to catch all the things so what happened after that with psps was the next cool technique after we did signature base detection okay so one thing about me i'm a teacher you guys are just a little bit bigger than i'm used to but i'm gonna ask questions and i you can holler out and answer it's totally okay nobody's gonna like strong arm you out of here does that sound like a plan see somebody at least okay perfect all right so after signatures right so mcafee 1.0 had just straight signatures looking for this file hash or this string

uh mcafee 1.5 mcafee 2.0 maybe i don't know what did we bring into the mix after we realize signatures don't work heuristics right exactly it's on the slide awesome see so heuristics the great thing about heuristics was i don't have to catch the exact file i just trace its pattern so if someone remotely maps my c drive copies a binary to it schedules an at job to instantly run it like yeah okay that's probably bad that's not a thing that people do on a regular basis right the heuristics of that action they're bad so we we did that right and now most of your antivirus suites have some sort of heuristic detection method really really beneficial does it catch

everything yeah so it still doesn't catch everything uh what else can we do whitelisting right oh my goodness i was so like super excited about app locker and the things that you can do uh until i saw uh chris truntzer talk about device guard with windows 10 the other day and i was like device guard is the coolest thing in the world uh i mean application wide listing is still pretty cool and device card is just a more mature version of it but exactly that we can do application whitelisting so i create a policy and i say all right computer you're only allowed to run software that i say you can and if anything else tries to run don't

do it right that's especially in an enterprise organization that's a thing that i can do right so uh let me go ahead and say only these hashes are allowed to run only things side by microsoft are allowed to run only things in this directory i probably wouldn't go with that one that doesn't sound like a good idea but you can do it right if you're just trying to get it implemented okay so what's matt domco's basic way to apply application whitelisting this is super super easy when you talk about it super super easy when you do it start with an empty white list create a policy that says don't allow anything to run but if it does log it so now you have

a huge list of logs that say hey this piece of software ran on your system so what do you know now all the software that's running on your systems right so now you take that list yeah you got to go through it make sure that like metservice.dll isn't being fingerprinted but other than that once you go through it now you have a list of every application that's running in your enterprise and all you had to do was create a policy that said hey allow this log everything else done now you have a complete software inventory go you uh so once you have that that list and you've gone through with a fine tooth tooth comb and picked

everything out that you want to run you just update the policy now if something that's not on your white list tries to run it gets blocked how how easy is it going to be to upload a backdoor if the only thing that's allowed to run on that system is executables signed by microsoft or executables that you've uh explicitly authorized pretty hard right kind of hard to get an implant installed if you're not allowed to execute the implant uh so that's that's the way that i'm solving it as far as applications go and i thought uh maybe i do this with networking so i'll start with an empty whitelist i'll create a policy that logs everything that's not in my

white list so it's going to log everything right now a little bit intensive but it'll be all right take those logs combine them parse through them everything that is actually authorized will go my white list everything that's not well it doesn't need to be happening anyway right let me go ahead and create some rules to stop that once i have my new white list generated i'm good i just sit back relax uh review my logs every once in a while maybe i need to update some ports because somebody turned on a new service so that being said how can i do all these things uh i'm a major bro fanboy uh yeah so uh how do i get data from my white list

i can do that with bro uh how do i do a have a policy that creates that logging that i want i can do that with bro uh logs from the new traffic that doesn't fit my my whitelist bro uh the only thing that i can't do in bro is review new logs uh if you have has everybody heard anybody not heard of bro before one two okay cool so i'll talk about it so in 30 seconds right and the warner on this is my name is not seth hall it's matt domco so this is my version of what pro is uh it's it's an ids tool suite right it's more like a network monitoring framework but

basically if i have full pcap over on the left that takes up one gig per second because my link is completely saturated and i have uh just my netflow right that my cisco devices are providing to me which takes up maybe one gig in a year bro gives me that in between it gives me package string so anything that's in a packet that can be printed out as ascii text we can pull that out so just like in netflow where i get my source and destination ip and ports i can pull those out but i can also pull out dns requests i can pull out http get requests i can pull out files as they get transferred across the network

there's a script built into bro where i can automatically extract binaries as they're being transferred across the wire so later on whenever i'm doing an instant response i don't have to go in and manually uh pull the file out of pcapp it already got pulled and now it's sitting on my server and i can analyze it the same way that i would any anything else uh so i love that uh the plugins and scripts that come with it it's a scripting language so you can tell it to do whatever you want uh it's it's amazing uh and then i think i've already hit on it the fact that logs are small so instead of pulling a gig per

second at for full p cap i'll spend maybe a meg for a day not not that big right depending on the size of your pipe but you're not going to be anywhere near uh the data storage requirements with bro as you would be with full pcap and so i love it for that it's my in between if i can only keep pcapp for a week i want bro for a year netflow for two just so that i can see in detail what's going on makes life easier oh by the way this super awesome tool is built in security engines so i have it turnkey i can just spin up the vm and it's good so as far

as my bro logs before we take a look at what those logs look like a couple of fields that are useful the uid so the connection id so bro tracks each connection and it gives it a unique number uh if we want to do ipsource originating host if we want to do source port originating port same thing for destination response host response uh port uh our logs super super easy to parse if you're a computer i don't know about anybody else but i don't wanna stare at that and be like uh so one five seven talked to 60 no that's way too much work i'm not going to do it i'm going to use something like elsa or

splunk or elastic stack as far as blow bro configuration directories uh these are the ones that i use right now because they feed into my tool uh so just a couple of reference points if later on you're like hey i want to try out bropi uh you can take a look back basically you need to know where the scripts are going to go you need to know where your logs are going to be and you need to know where uh the configuration file for bro where it loads up the scripts uh this is the default for security onion if you compile from source and install it yourself it'll be wherever you told it to be

so 2013 2014 i don't remember which one uh 2015. okay uh i was at security engine con and seth hall uh one of the developers of the uh the bro pro bro project he's my hero and he's up front and i'm waiting i'm eager for him to lay down some bro knowledge and he steps up there and he says the best way to learn to write bro scripts is to write bro scripts and i was like yeah but i don't know how so that's why i'm at your talk could you please tell me about it and i was freaking out because i thought he wasn't going to actually talk about it uh so he said that and i was like that's

kind of a jerk move but then i started working on my own bro scripts and i was like okay so he was exactly right this is just like any other language you want to know the best way to learn python start writing python make yourself write python you want to learn c same thing bro exactly same way so i figured in interest of learning uh let's write a simple bro script and work through it all of the pieces to this script uh are actually used in uh one of the scripts that comes with prope and it's what does the heavy lifting the logging and the alerting uh so our bro scripts uh we can use

variables just like in any other language right uh if this were python so set port this is a list of ports i give it curly braces the port number and then the protocol too easy uh bro scripts are actually event driven so my script a packet can come in cause an action cause an event and all the scripts that are listening for that event can take action at the same time so that's pretty cool uh the only downside to that is if you're writing scripts you have to know what the different events do and that they exist right but it's really cool my script can cause an event or packet can cause an event or another

script can cause an event and everything kind of gets to execute at the same time it's really nice so event brewing it when bro first starts up what do i want it to do well uh i want it to print a string and then i want it to do format string so i took my variable and using the pipes i don't have a yeah on the right hand side you can see pipes my ports so that's actually going to tell me how many items are in my ports after that i said okay the next event that i want to track is new connection so every time a new connection is detected i want bro to do something

for me what do i want it to do i want to check the destination port and see if it's in that list we created earlier it's pretty simple right so if the destination port is in my list i want to print an alert to the screen or do something okay i feel like i'm nope okay that's those three things an if statement the ability to call a file or to call a list that's that's what i'm doing as far as my pro scripting goes uh the this pro script that i'm using is baseline report.bro it's also on github with bropi but basically it pulls in a table and it checks every single new connection is this in the database

if it is is this source allowed to talk to that destination so yeah my file server people within the organization should be allowed to talk to the file server right people on the internet even if i have the worst uh admin in the world should not be allowed to talk to my file server right like that's not a thing so uh that's what we're doing we're checking source and destination to see if they're authorized uh if they are cool we're good next packet if they're not let's go ahead and do some logging as far as installing it goes super simple you download the script edit a line that tells it what subnet you want to protect

because you obviously don't want to check every single packet that goes across the network just the hosts that you want to baseline right and you'll want to manage for that so you do that you copy it to wherever your scripts go you edit uh local.pro to call call baseline report and restart bro that's it except we don't have a baseline uh so what you'll have to do is go through wow [Music] that's not gonna work is it so what you'll have to do is hop into elsa [Music]

maybe

i'm just having a terrible day with uh computers either way you'll uh you'll hop into elsa and you'll just make a list of every single port and protocol that you use based on searches in uh security onion why [Music] that sounds like a lot of work right i'm not actually gonna do that uh so what i am gonna do uh yeah so that was what i wanted to show you was creating a list like this by hand does not sound like fun right every single port that your domain controller uses anybody know how many that is off the top of their head it's 17 exactly see there's 17 or 42 right one of the two but no it's a

lot and it's way too much work to sit down and do it so why don't i do something uh create something that'll automatically parse the logs for me so that's why i wrote bropi is to parse those logs so my baseline report dot my baseline report script will create the logs and then bropi will parse them and create that list for you uh as far as generating the list all it is is a yes no prompt this connection was made do you want it in your baseline yes you do no you don't pretty simple right it's like if you can't tell i was in the army so i had to keep things simple so that i wouldn't like

not be able to do it uh so as far as my scenario network goes uh hopefully my onion will come back up but uh i built this network with a couple hundred systems a couple servers uh sql server sharepoint server uh wsus rdp and a dc and i was like i'm gonna baseline all of this stuff in an hour that was the goal was to be able to get a list of every single port in protocol that i was actually using in less than an hour so that's what brophy does

there we go well except for not really

that's okay i can work with this that's tiny so uh brophy let's do this so all i'm gonna do to go ahead and install bropi is just get clone it i already have it but pull it down off github uh you've got three files in there that you're actually going to use uh so baseline.data that's your baseline that's where that that's what that is uh based on report.row that's the script that generates all the alerts and then bropi is what does all the magic for us so that we don't have to do very much work so i'm just going to pseudobrophy

oh

oh i'm already root that's awesome

i'm not crazy right oh dog pie thank you there we go and we can't read it because i turned this too big but basically it pops you up with a menu uh would you rather be able to read it or make it look pretty you can read it okay cool so uh i've got three options really i only have two so the first one uh this is just for i trust everything in the network what it's gonna do it's gonna automatically go out and build you a baseline based on your prologues we don't necessarily want to automatically trust everything that's already happened in our network right that's probably a bad thing to do so i

would generate this and then pass it out to my my server admins and be like hey are all these ports actual ports so now you have fax these ports are being used and you can say sysadmin this is your job what are these and if you can't answer you then we probably don't need to let them happen right the second option that we have is to step through every single alert that was generated and then the third is just to install it so we do have to start with install so i'm going to do three and we tell it what subnet do we want to watch like i said you don't want to check every single packet you just want to

check the ones that are important right we're doing an anomaly logging on this one small very very important piece of our network if i want five sensors to do five different pieces i can do that but for this one instance i want to do just these important ones so i'm gonna go ahead and do my server subnet from my lab 156.22.11.0 24. and you can do multiple subnets just do comma separated uh and it becomes easy if you want to do a particular host just do a slash 32. it's going to do some checks and see like do you want to overwrite things that already exist i'm going to go ahead and overwrite things that already exist

i'm going to overwrite my previous script and then do i want to restart bro so that that line right there do you want to restart bro actually happened after i uh i asked my buddy to demo this the tool for me i was like hey can you try this i know you've got like 500 bro installs across your network can you run this for me and he installed it and then it automatically restarted every single sensor of his so he has like an hour of downtime and i feel really bad about it but he probably should have done some code review before he just ran random stuff on his production network so i blame me

but i also a little bit i blame him but so now we have are you ready to restart bro uh that's why that's there all right so i installed bro or i installed bropi uh everything's already configured for me uh all i have to do now is generate some traffic so i've got a honkbaseline.pcapp and that's just my my baseline traffic right it's just a recording of a week so sudo i'm already so tcp

and i'm gonna go ahead and use it to replay that traffic so if i take a look uh ls nsm brew logs current i don't have any logs there demo gods are

awesome

okay i played all that stuff

so what i should see here i'm just going to go ahead and roll on because this is going to be a bad day for me uh so what i should see here i've got my standard error and my reporter log so i'm sure i just crashed bro instead of installing it appropriately but what i should see here is a notice log in that notice log i'll have a bunch of alerts that say non-standard traffic detected whenever i run bropi again

now that i've actually ran brokey once i can actually hit one and it'll go through parse all of my logs and generate a baseline file so i'm gonna hit yes to restart but then i'm also gonna go ahead and take a look at my my new baseline file so that'll be less of sure bro

so i replayed that pcap and ran bro b now i have a list of every single port protocol and destination host that that happened in that pcap so you see icmp the 128 box got pinged a lot from a lot of hosts so i can actually see that now visibly right and i didn't have to do any of this it all just got created for me really really nice if i wanted to go in and maybe uh so smb traffic right i know it's going to exist for my entire network i'll see a bunch of these 192 168 whatevers i'll probably change this 32 using vi to be a 24 whatever my network is so you can go in and manually

do that in the future it'd be great if i had like a bunch of people that know python to come help me work on this and make it better but that we could do that right at the command line say do you want the default 32 or do you want to put in a custom subnet mask that's authorized that would be great it wouldn't be too hard to do but i just haven't had the time to put it in there yet

yes uh so just to recap my awesomely failed demo i'm sorry about that uh you just get clone change directory into it and run ropey tell it to install uh once it's done gather your traffic you'll have logs run ruby again and either step through each individual log and say yes no yes no or have it auto generate and then manually take a look at the the list because now instead of having to parse through and do searches you have a list so just go through it have your engineers do the work as to whether or not people should be connecting to those ports uh and then so use cases these are the three things

that i love that's the one reason why i wrote the tool uh i now have a list of everything that's connecting to my critical resources uh i can get alerts whenever new hosts connect to it or a new service pops up right i know we have that with like pads and stuff like that but i wanted a lot of things in one spot for me and that's why i did it uh and then with our baseline data so i get this baseline employed and i go a month without any logs how about i just take that baseline pass it off to my engineering team on the networking side and say this is the only traffic that's

allowed to happen in to go into our network that's it just these and then somebody is probably your your uh your cio he's gonna be like uh so but is that gonna break anything because the website has to stay up and you're gonna be like i can guarantee you that nothing will be broken because i haven't had any alerts in a month and nobody's using any ports other than these so you can guarantee your cio we are only using these ports if you have a list of all the ports that you use so that's uh that's that uh any questions okay in the back

yeah so if if you're really good at machine learning and those type of maths you can totally come help me make this better like like so that's that's the thing right is uh and i say this all the time to my students it's like i'm just a guy playing with legos right now and so i know a little bit of this and a little bit of this and it'll solve my problem uh it might not be the 50 death star lego kit mine's actually a bunch of blue and green legos but i think it looks like the death star so that's uh that's but yeah i love the idea and as soon as i can find somebody to help

me with it that would be amazing

okay

right

okay cool yeah no i would love to hear more about that so anybody else

yeah so it's creating new logs uh somebody brought it up the other day we do a nerd night in augusta uh every couple weeks and uh somebody was like well but you're putting your own thing that makes these alerts but how about you just read the bro logs that already exist and so that's a definite feature that i'm going to try and get in soon because yeah initially just read all the old bro logs and then now you can have the anomaly logging but yeah so that would have been way easier so anybody else okay i'm oh i was just wondering at all but it would be hard to take this like a step deeper instead of you know

sources yes so what end state right my initial uh baseline.data file had uh the name of the service the hash of the binary that was actually hosting the service uh like like that kind of thing and my goal was to have you run brobee with creds and it reaches out and contacts does a netstat pulls down the hash of the file and then brings it back in and it's like okay not only should those be the only things that are listening but uh those they should be hosted by this particular hash for this service right that that would have been super cool but yeah thank you for your question anybody else i'm going to see if i can get this to

work now that i snapshot it no okay well thank you for your time uh if you want to stay and watch me try and fix this you can you're not going to hurt my feelings if you get up and throw stuff and walk away

all right