Exercise: Monitoring for Activity Fingerprints

Our CERT has issued an advisory which warns about a new type of trojan. The CERT folks cannot provide many details about the malware at this point but, to find compromised systems, they recommend watching for hosts which perform the following steps in the given order:

1. There is an incoming SSH connection to port 2222.
2. The host requests a file called download.html from a Web server.
3. The host initiates two FTP sessions to (potentially different) FTP hosts, requesting one file from each of them. From the first server, a Windows executable is downloaded. From the second one, a ZIP archive is downloaded.
4. The host joins an IRC channel on some IRC server.

Write a Bro script which monitors all internal hosts for such activity and reports when it detects a hosts doing all of these steps in the correct order.

Run your script on the trace fingerprint.trace and validate the results. Assume that all hosts in 192.168.0.0/16 are internal and all others are external.

Events which might be of use to solve this:

event file_transferred(c: connection, prefix: string, descr: string, mime_type: string) 
        # Raised when a file is transfered via FTP and gives the
        # file's type as identified via libmagic

event ftp_request(c: connection, command: string, arg: string)
        # Raised for every client command on an FTP session.

event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
        # Raised for every HTTP client request. 

event protocol_confirmation(c: connection, atype: count, aid: count)
        # Raised when Bro positively confirms that a protocol is in use. 
	# To check which analyzers raised the event, check the analyzer type in "atype".
	# For SSH, it is "ANALYZER_SSH"; for IRC it is "ANALYZER_IRC".