Scribd
Upload
73 views

Zeek PDF Guide

Uploaded by

Asmaa Yehia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views

Zeek PDF Guide

Uploaded by

Asmaa Yehia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Zeek (Bro) Network Security Monitor

Sareena K P
RISE Lab
What is Bro?
Facilitates broader
spectrum of very
different approaches to
find malicious activity

● semantic misuse
detection
● anomaly detection
● behavioral analysis.

Source: https://www.zeek.org/documentation/slides/index.html
Architecture
What can Bro do?
BRO Logs
Logs Generated
Built-in functionality
● Conn.log
for a range of analysis ● SSH.log
● HTTP.log
and detection tasks ● DNS.log
● Files.log
sudo bro -i wlan0 ● Software.log

sudo bro -r sample.pcap


BRO Logs
Conn.log
What can Bro do?
Eg. Suspicious Logins

Source: https://www.zeek.org/documentation/slides/index.html
What Can it Do?
Zeek - Syntax
● Static type system (i.e., the type of data a variable holds is fixed)
● Regular expression using flex's syntax

#pattern matching
print /one|two|three/ == "two"; # T
print /one|two|three/ == "ones"; # F (exact matching)
print /one|two|three/ in "ones"; # T (embedded matching)
print /[123].*/ == "2 two"; # T

● Set of domain-specific types : Examples are time, interval, port, addr, and subnet.

Interactive Learning --- http://try.bro.org


Zeek Events
Special flavour of function global myevent: event(s: string);
global n = 0;
● They may be scheduled and executed at a event myevent(s: string) &priority = -10
later time, so that their effects may not be {
realized directly after they are invoked. ++n;
● They return no value -- they can't since }
event myevent(s: string) &priority = 10
they're not called directly but rather
{
scheduled for later execution. print "myevent", s, n;
● Multiple bodies can be defined for the same }
event, each one is deemed an "event event bro_init() {
handler". When it comes time to execute an print "bro_init()";
event myevent("hi");
event, all handler bodies for that event are
schedule 5 sec { myevent("bye") };
executed in order of &priority.
}
event bro_done() {
print "bro_done()";}
Zeek Hooks
Customization points for modules, as they allow hook myhook(s: string) &priority = 10 {
to outsource decisions to site-specific code. print "priority 10 myhook handler", s;
s = "bye"; }
● executes immediately when invoked
● Termination determines if further handlers
hook myhook(s: string) {
get executed. If the end of the body, or a
print "break out of myhook handling", s;
return statement, is reached, the next
break; }
hook handler will be executed. If, however,
a hook handler body terminates with a
hook myhook(s: string) &priority = -5 {
breakstatement, no remaining hook
print "not going to happen", s; }
handlers will execute.

event bro_init() {
priority 10 myhook handler, hi local ret: bool = hook myhook("hi");
break out of myhook handling, hi if ( ret ) {
print "all handlers ran"; }}
Scan Detector

Membership operato
Excessive DNS Requests
Track the number of DNS Requests - SumStats

SumStats::observe("dns.lookup", [$host=c$id$orig_h], [$str=query]);

local r1 = SumStats::Reducer($stream="dns.lookup",apply=set(SumStats::UNIQUE));

SumStats::create([$name="dns.requests.unique", $epoch=6hrs, $reducers=

set(r1), $epoch_result(ts: time, key: SumStats::Key, result:

SumStats::Result) = ….]);
Filtering Packets
event NetControl::init() {

local debug_plugin = NetControl::create_debug(T);

NetControl::activate(debug_plugin, 0);

hook Notice::policy(n: Notice::Info){

if ( n$note == DNSEXCESS::ExcessiveRequests )

add n$actions[Notice::ACTION_DROP]; }
Filtering Packets
event NetControl::init() {

local debug_plugin = NetControl::create_debug(T);

NetControl::activate(debug_plugin, 0);
Notified by
}
Notice
hook Notice::policy(n: Notice::Info){
Actions
if ( n$note == DNSEXCESS::ExcessiveRequests )

add n$actions[Notice::ACTION_DROP]; }
Stateful filters
DoS/DDoS TCP Scan UDP Scan
Stateful filters
DoS/DDoS TCP Scan UDP Scan

Persistent
communication from
any host to a
destination that does
not provide replies

High rate of outgoing


packets;
Stateful filters
DoS/DDoS TCP Scan UDP Scan

Persistent Significant number of


communication from half-open TCP
any host to a connections over time
destination that does
not provide replies

High rate of outgoing


packets;
Stateful filters
DoS/DDoS TCP Scan UDP Scan

Persistent Significant number of The ratio of


communication from half-open TCP successful versus
any host to a connections over time unsuccessful
destination that does communication
not provide replies attempts from the
network.
High rate of outgoing
packets;
Stateful Filters

Email SPAM Malware


The number of email Number of failed DNS queries
messages from the
network;
Installation
● VM will be provided for the tutorial.
● Download

sudo apt-get install bro

● Installation from source - https://docs.zeek.org/en/stable/install/install.html


○ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig
zlib1g-dev
○ ./configure
○ Sudo make
○ Sudo make install
○ export PATH=/usr/local/bro/bin:$PATH
Thank You.

You might also like