In this exercise, we analyze IRC chat traffic as an example of performing application-layer analysis. Using a IRC client, a user connects to a central IRC server, specifying a nickname under which he will be known on that server. Each client can join one or more chat channels and then send messages to these channels which will be broadcasted across all other channel participants. Likewise, a client receives copies of all messages other users are posting to any of the channels he has joined. See Wikipedia for more information on IRC.

Bro has an application-layer IRC analyzer which generates events for most of the IRC protocol's standard commands. See the skeletons below for the events relevant to this exercise.

  1. Finding a user on a channel. Let's suppose somebody told us that an IRC client using the nickname "wizard" is suspected to be malicious and should better be monitored for. We now implement three different ways to report the presence of a specific nickname on an IRC session, all having different properties. For the following, use the trace irc-1.pcap and run Bro with at least the scripts tcp.bro, alarm.bro, and irc.bro, plus those mentioned belowd. When looking at the output, examine in particular notice.log, irc.log, and conn.log.

    1. The template below gives a signature which simply looks for the string wizard in the payload of all connections. Run Bro with this signature on trace irc-1.pcap, also loading the script signatures.bro. Examine the alerts Bro reports, then repeat but add dpd_match_only_beginning=F to the command-line. What's the difference?

    2. Adapt IRC::hot_words (from irc.bro) to raise a notice when Bro sees the string wizard in an IRC connection. Examine the alerts you get.

    3. Write your own handlers for the events irc_names_info and irc_join_message (see skeleton below) to raise a notice when an IRC server specifically reports a user "wizard" being on a channel. Again, examine the alerts.

    4. Finally, compare the alarms of (a) - (c). What are the advantages/disadvantages of each approach? Which one would you chose? Is there anything you would do to improve the detection further?

  2. Extracting host names from IRC sessions. Suppose attackers have been seen publishing names of compromised hosts on IRC channels. We now want to write a Bro script that alarms once it sees an established connection to any host mentioned on IRC. For the following, start from the skeleton below and run Bro on the trace irc-2.pcap.

    1. Write a script which scans all messages posted to any IRC channel for numeric IP addresses (e.g., 72.14.253.103) and prints out the addresses it finds.

    2. Extend the script to raise a notice whenever some host has established a connection to one of the addresses found in (a).

    3. Extend the script further to also handle DNS host names (e.g., www.google.com) found in IRC messages.

  3. Bonus exercise: Our security consultant believes that IRC users joining a channel without saying anything are suspicious. Write a Bro script which reports the nick names of all users who, after joining a channel, leave without posting any message to the channel. Run your script on the trace irc-2.pcap.

Hints for (1)

  • There is a blog posting with more information about signature semantics and tuning.

Skeleton for (1a)
signature wizard-1 {
    ip-proto == tcp
    payload /.*wizard.*/
    event "Found a Wizard!"
    }
Skeleton for (1c)
module Wizard;
export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        WizardFound
    };
    # The nick name we are looking for.
    const wizards_nick = "wizard" &redef;
}
# Generated when a server reports all users currently being on a channel.
event irc_names_info(c: connection, c_type: string, channel: string, users: string_set)
    {
    # Add code here.
    }
# Generated when a user joins an IRC channel.
event irc_join_message(c: connection, info_list: irc_join_list)
    {
    # Add code here.
    }
Hints for (2)

Some functions which may be of use:

         # Convert numerical IP address from type string to type address.
function to_addr(ip: string): addr
         # Lookup the IP address(es) for host name. Note that
         # this needs to be used inside a "when"-statement. Look
         # at the function gen_hot_notice_with_hostnames() in
         # conn.bro for an example of using "when".
function lookup_hostname(host: string) : addr_set
         # Returns all occurrences of pattern in string.
function find_all(str: string, re: pattern) : string_set
Skeleton for (2)
@load tcp
@load irc
module IrcHosts;
export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        ConnectionSeen
    };
}
# Set of all addresses seen on IRC.
global hosts: set[addr] &persistent &read_expire=7days;
# Generated when a message is posted to a channel.
event irc_privmsg_message(c: connection, source: string, target: string, message: string)
    {
    # Add code here.
    }
# Generated when a connection has been fully established.
event connection_established(c: connection)
    {
    # Add code here.
    }
Skeleton for the bonus exercise.
@load tcp
@load irc
module IrcQuite;
export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        QuietUser
    };
}
# Generated when a user joins an IRC channel.
event irc_join_message(c: connection, info_list: irc_join_list)
    {
    # Add code here.
    }
# Generated when a message is posted to a channel.
event irc_privmsg_message(c: connection, source: string, target: string, message: string)
    {
    # Add code here.
    }
# Generated when a user leaves a channel.
event irc_part_message(c: connection, nick: string, chans: string_set, message: string)
    {
    # Add code here.
    }
# Generated when a user leaves the IRC servers.
event irc_quit_message(c: connection, nick: string, message: string)
    {
    # Add code here.
    }