Application-layer Analysis

In this exercise, we analyze IRC chat traffic as an example of performing application-layer analysis. Using a IRC client, a user connects to a central IRC server, specifying a nickname under which he will be known on that server. Each client can join one or more chat channels and then send messages to these channels which will be broadcasted across all other channel participants. Likewise, a client receives copies of all messages other users are posting to any of the channels he has joined. See Wikipedia for more information on IRC.

Bro has an application-layer IRC analyzer which generates events for most of the IRC protocol's standard commands. See the skeletons below for the events relevant to this exercise.

Finding a user on a channel. Let's suppose somebody told us that an IRC client using the nickname "wizard" is suspected to be malicious and should better be monitored for. We now implement three different ways to report the presence of a specific nickname on an IRC session, all having different properties. For the following, use the trace irc-1.pcap and run Bro with at least the scripts tcp.bro, alarm.bro, and irc.bro, plus those mentioned belowd. When looking at the output, examine in particular notice.log, irc.log, and conn.log.
1. The template below gives a signature which simply looks for the string wizard in the payload of all connections. Run Bro with this signature on trace irc-1.pcap, also loading the script signatures.bro. Examine the alerts Bro reports, then repeat but add dpd_match_only_beginning=F to the command-line. What's the difference?
  Solution
  > bro -s ./irc-wizard.sig -r irc-1.pcap tcp irc alarm signatures > cat alarm.log 1182549316.427699 SensitiveSignature 192.168.7.55: Found a Wizard!
  However, inspecting notice.log reveals that this a false positive.
  > cat notice.log 1182549316.427699:SensitiveSignature:NOTICE_ALARM_ALWAYS::192.168.7.55:58252/tcp:83.220.155.8:6667/tcp::wizard-1::::192.168.7.55\ : Found a Wizard!:GET /?search=wizard HTTP/1.0^M^JUser-Agent\: Wget/1.8.2^M^JHost\: dict.leo.org^M^JAccept\: */*^M^J\ Connection\: Keep-Alive^M^J^M^J:@f9-10729-1
  With pattern matching extended beyond the first 1K of a connection:
  > bro -s ./irc-wizard.sig -r irc-1.pcap tcp irc alarm signatures dpd_match_only_beginning=F > cat alarm.log 1182545127.448084 SensitiveSignature 213.92.8.4: Found a Wizard! 1182546120.586303 SensitiveSignature 209.177.146.34: Found a Wizard! 1182549316.427699 SensitiveSignature 192.168.7.55: Found a Wizard!
  Inspecting notice.log shows that the first of the three is a true positive.
2. Adapt IRC::hot_words (from irc.bro) to raise a notice when Bro sees the string wizard in an IRC connection. Examine the alerts you get.
  Solution
  > cat wizard.bro redef IRC::hot_words += /.*wizard.*/; > bro -r irc-1.pcap tcp irc alarm ./wizard.bro > head -3 alarm.log 1182545301.780899 IRC_HotWord IRC hot word in: wizard: what errors does it give? 1182546120.586303 IRC_HotWord IRC hot word in: The wonderful wizard of Oz. 1182549316.427699 IRC_HotWord IRC hot word in: GET /?search=wizard HTTP/1.0
3. Write your own handlers for the events irc_names_info and irc_join_message (see skeleton below) to raise a notice when an IRC server specifically reports a user "wizard" being on a channel. Again, examine the alerts.
  Solution
  The completed script wizard.bro.
  > bro -r irc-1.pcap tcp irc alarm ./wizard.bro > cat alarm.log 1182545127.448084 WizardFound found Wizard on channel #ubuntu
4. Finally, compare the alarms of (a) - (c). What are the advantages/disadvantages of each approach? Which one would you chose? Is there anything you would do to improve the detection further?
  Solution
  We can use DPD to (1) find IRC sessions on non-standard ports, and (2) disable analysis for non-IRC protocols on port 6667. Using DPD, it turns out there's another "wizard" to be found:
  > bro -f tcp -r irc-1.pcap tcp irc alarm ./wizard.bro dpd dyn-disable detect-protocols > grep WizardFound alarm.log 1182545127.448084 WizardFound found Wizard on channel #ubuntu 1182548146.056426 WizardFound found Wizard on channel ##linux

Extracting host names from IRC sessions. Suppose attackers have been seen publishing names of compromised hosts on IRC channels. We now want to write a Bro script that alarms once it sees an established connection to any host mentioned on IRC. For the following, start from the skeleton below and run Bro on the trace irc-2.pcap.

Write a script which scans all messages posted to any IRC channel for numeric IP addresses (e.g., 72.14.253.103) and prints out the addresses it finds.

Solution

# Generated when a message is posted to a channel.
event irc_privmsg_message(c: connection, source: string, target: string, message: string)
    {
    # Find numerical addresses.
    local num_addrs = find_all(message, /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/);
    for ( a in num_addrs )
        print a;
    }

> bro -r irc-2.pcap tcp irc alarm ./irc-hosts-a.bro
192.168.2.1
131.243.2.191
1.0.0.0
1.1.1.1
[...]

Extend the script to raise a notice whenever some host has established a connection to one of the addresses found in (a).

Solution

The completed script irc-hosts-b.bro.

> bro -r irc-2.pcap tcp irc alarm ./irc-hosts-b.bro
192.168.2.1
131.243.2.191
1.0.0.0
1.1.1.1
[...]
> grep ConnectionSeen alarm.log
1182981592.918296 ConnectionSeen 192.168.4.56 established connection to host 131.243.2.191 seen on IRC

Extend the script further to also handle DNS host names (e.g., www.google.com) found in IRC messages.

Solution

The completed script irc-hosts-c.bro.

  > bro -r irc-2.pcap tcp irc alarm ./irc-hosts-c.bro | grep www
  www.ocf.berkeley.edu
  www.law.cornell.edu
  www.infomaticsonline.co.uk
  www.chiark.greenend.org
  > grep ConnectionSeen alarm.log
1182981497.475585 ConnectionSeen 192.168.1.7 established connection to host 128.253.22.246 seen on IRC
1182981592.918296 ConnectionSeen 192.168.4.56 established connection to host 131.243.2.191 seen on IRC

Bonus exercise: Our security consultant believes that IRC users joining a channel without saying anything are suspicious. Write a Bro script which reports the nick names of all users who, after joining a channel, leave without posting any message to the channel. Run your script on the trace irc-2.pcap.
Solution
The completed script quiet-users.bro.
```
> bro -r irc-2.pcap tcp irc alarm ./quiet-users.bro
> grep QuietUser alarm.log  | wc -l
  288
```

There is a blog posting with more information about signature semantics and tuning.

signature wizard-1 {
    ip-proto == tcp
    payload /.*wizard.*/
    event "Found a Wizard!"
    }

module Wizard;

export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        WizardFound
    };

    # The nick name we are looking for.
    const wizards_nick = "wizard" &redef;
}

# Generated when a server reports all users currently being on a channel.
event irc_names_info(c: connection, c_type: string, channel: string, users: string_set)
    {
    # Add code here.
    }

# Generated when a user joins an IRC channel.
event irc_join_message(c: connection, info_list: irc_join_list)
    {
    # Add code here.
    }

Some functions which may be of use:

         # Convert numerical IP address from type string to type address.
function to_addr(ip: string): addr

         # Lookup the IP address(es) for host name. Note that
         # this needs to be used inside a "when"-statement. Look
         # at the function gen_hot_notice_with_hostnames() in
         # conn.bro for an example of using "when".
function lookup_hostname(host: string) : addr_set

         # Returns all occurrences of pattern in string.
function find_all(str: string, re: pattern) : string_set

@load tcp
@load irc

module IrcHosts;

export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        ConnectionSeen
    };
}

# Set of all addresses seen on IRC.
global hosts: set[addr] &persistent &read_expire=7days;

# Generated when a message is posted to a channel.
event irc_privmsg_message(c: connection, source: string, target: string, message: string)
    {
    # Add code here.
    }

# Generated when a connection has been fully established.
event connection_established(c: connection)
    {
    # Add code here.
    }

@load tcp
@load irc

module IrcQuite;

export  {
    # Define a NOTICE type for our alert.
    redef enum Notice += {
        QuietUser
    };
}

# Generated when a user joins an IRC channel.
event irc_join_message(c: connection, info_list: irc_join_list)
    {
    # Add code here.
    }

# Generated when a message is posted to a channel.
event irc_privmsg_message(c: connection, source: string, target: string, message: string)
    {
    # Add code here.
    }

# Generated when a user leaves a channel.
event irc_part_message(c: connection, nick: string, chans: string_set, message: string)
    {
    # Add code here.
    }

# Generated when a user leaves the IRC servers.
event irc_quit_message(c: connection, nick: string, message: string)
    {
    # Add code here.
    }