Exercise: Application-layer IRC analysis

In this exercise, we will do some application-layer analysis of IRC traffic.

  1. Assume somebody told us that an IRC user with the nickname wizard is doing evil stuff. Therefore we want to report IRC connections on which we see this user.

    1. Write a signature to raise a notice when there is the string wizard found in an IRC connection. In addition to the scripts mentioned below, load signatures.bro and examine the resulting signatures.log.
    2. Adapt IRC::hot_words to raise a notice when Bro sees the string wizard in an IRC connection.
    3. Write event handlers which raise a notice when an IRC server reports user "wizard" as being on a channel.

    For all of these run Bro on the trace irc-1.trace, loading at least the scripts irc.bro and tcp.bro. Verify Bro's output (examine in particular irc.log, notice.log, and conn.log).

  2. Our security consultant believes that IRC users are suspicious who join a channel without saying anything. Write a Bro script which reports the nick names of all users who, after joining a channel, leave again without posting any message to the channel.

    Run your script on the trace irc-2.trace.

  3. Attackers often publish names of compromised hosts on IRC channels. We want to get an alarm once we see an established connection to any host mentioned on IRC.

    1. Write a script which scans all messages posted to an IRC channel for numeric IP addresses (e.g., 72.14.253.103) and prints them out.
    2. Extend the script so that it also prints all DNS host names (e.g., www.google.com) found in IRC messages.
    3. Extend the script to raise a notice if some host connects to one of the the addresses found in (a) or (b).

    4. For all of these, run Bro on the trace irc-2.trace.

Events/functions/variables which might be of use to solve this:

    event irc_names_info(c: connection, c_type: string, channel: string, users: string_set)
             # Server reports the users being on a channel.
             
    event irc_join_message(c: connection, info_list: irc_join_list)                       
             # User joins a channel.

    event irc_part_message(c: connection, nick: string, chans: string_set, message: string)
		     # User leaves channel.			 

    event irc_privmsg_message(c: connection, source: string, target: string, message: string)
             # A message is posted. 

    event irc_quit_message(c: connection, nick: string, message: string)
             # User leaves the IRC server.			 

    function to_addr(ip: string): addr
             # Convert numerical IP address from type string to type address.
    
    function lookup_hostname%(host: string%) : addr_set # Bro 1.3
             # Lookup the IP address(es) for host name.
             
    function find_all(str: string, re: pattern) : string_set
             # Returns all occurences of pattern in string.
             
    const dpd_match_only_beginning; (default: true)
             # If true, stops signature matching if dpd_buffer_size has been reached.

    const dpd_buffer_size; (default: 1024)
             # Size of per-connection buffer in bytes. If the buffer is full, data is
             # deleted and lost to analyzers that are activated afterwards.