In many networks, the types of services offered by internal hosts tend to be rather stable over tim, so that it can be a noteworthy situation when a system starts accepting connections on a port it hasn't been seen doing before. In this exercise, we write a Bro script that tracks on which ports local systems are acccepting connections, and that alarms whenever it sees a new port popping up.

For the following tasks, use the skeleton script provided below as a starting point and run Bro with the two traces enterprise-1.pcap and enterprise-2.pcap as described. (These traces contain only packet headers, which is why the skeleton script suppresses a few "weird" messages Bro would normally report with traces not having payload.)

  1. Tracking services. Implement the connection_established event handler so that for every local host, it tracks the destination ports of all incoming established connections in the services table. Raise a NewService notice whenever a local host accepts a connection on a particular port for the first time. Run the script on the trace enterprise-1.pcap. How many NewService alarms does Bro report?

  2. Adding tuning options. Allow for some customization of the detection algorithm:

    1. Add a boolean option to the script to generally ignore all unprivileged ports.

    2. Add a customizable set of arbitrary ports to ignore.

    3. How would you set these options for the traffic in enterprise-1.pcap?

  3. State persistence. Extend the script to keep the collected port information across restarts. Run first two times with enterprise-1.pcap and verify that the second run does not report any new services anymore. Then run with enterprise-2.pcap. Can you tell which tuples (host, port) Bro has remembered after running on both traces?

  4. Learning mode. If run for the first time, the script reports lots of services because it does not have any previous knowledge about the network. Add a learning mode which, when activated, builds the service profile but does not generate any notice.

  5. Expiring state. It's never good to remember something indefinitely. Change the script so that it removes entries from the services table after they haven't been used for one minute (for demonstrational purpoes; in practice you would of course choose something much longer … :-).

    .

Hints

  • Table indices can be tuples: [1.2.3.4, 25/tcp].

  • Checking for a privileged port: if ( p >= 1024/tcp ) …

  • Look at the slides on persistent state and table expiration. Recall that you can examine persistent state stored on disk.

Skeleton
@load notice
@load alarm
@load weird
@load site
module ServiceTracker;
export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        NewService
    };
}
# Configure local networks so that we can use is_local(addr)
# to check whether a given address is internal.
redef local_nets += {
    128.3.0.0/16,
    131.243.0.0/16,
};
# Table to remember seen (ip,port) pairs.
global services: set[addr, port];
event connection_established(c: connection)
    {
    ### Insert code here.
    }
event bro_done()
    {
    #### Insert code here.
    }
######## Suppress alerts generated because we have header-only traces.
redef notice_action_filters += {
    [Weird::ContentGap] = ignore_notice
};
redef notice_policy += {
    [$pred(a: notice_info) = {
        return a$note == Weird::WeirdActivity &&
            ("incompletely_captured_fragment" in a$msg ||
             "UDP_datagram_length_mismatch" in a$msg);
    },
    $result = NOTICE_IGNORE]
};