User Manual: Bulk Traces and Off-line Analysis

From BroWiki

Jump to: navigation, search

Image:Caution.png Note: This chapter still a very rough draft and incomplete

Bro is most effective when used in conjunction with bulk traces from your site. Capturing bulk traces just involves using tcpdump to capture all traffic entering and leaving your site.

Bulk traces can be very valuable for forensic analysis of all traffic in and out of a compromised host. It is also needed to run some particularly CPU intensive policy analyzers that can not be done in real time (as described in the Off-line Analysis section below).

Depending on your traffic load, you might be able to bulk capture on the Bro host directly, but in general we recommend using a separate packet capture host for this. Unless you want to buy a huge amount of disk, you'll probably only be able to save a few days worth of traffic.

Bulk Traces

The Bro distribution includes a couple scripts to make bulk capture easier. These are:

  • spot-trace: called by start-capture-all script
  • start-capture-all: captures all packets. This script looks for an existing instance of the spot-trace program, and if it finds one creates a new capture file name with an incremented filename, and continues capturing data. Bulk capture files can get very large, so typically you run this as a cron job every 1-2 hours.
  • bro_bulk_compress.sh: compress and/or delete old bulk trace files. Run as a cron job.

Since the bulk trace files can be huge, you often will want to run tcpdump on the raw trace with a filter to extract the packets of interest. For example: 

tcpdump -r bulkXXX.trace -w goodstuff.trace 'host w.x.y.z'

If you know that that packets you want are bounded by a time interval, say it occurred 1:17PM-1:18PM, then you can speed this up a great deal using tcpslice. For example: 

tcpslice 13h15m +5m bulkXXX.trace | tcpdump -r - -w goodstuff.trace 'host w.x.y.z'

It is recommend to use a somewhat broader time interval for tcpslice (such as in the above example) than when Bro reported the activity occurred, so you can catch additional related packets cheaply.

Off-line Analysis

There are some policy modules that are meant to be run as off-line analysis on bulk trace files. These include:

  • backdoor.bro: looks for standard services running on non-standard ports. These services include ssh, http, ftp, telnet, and rlogin.

To run Bro on a tcpdump file, do something like this: 

# set up the Bro environment (sh or bash)
. /usr/local/bro/etc/bro.cfg
/usr/local/bro/bin/bro -r dumpfile backdoor.bro

To use Bro to extract the contents of a trace file, do: 

bro -r tracefile contents

which will load policy/contents.bro. It stores the contents of each connection in two files, contents.H1.P1.H2.P2 and contents.H2.P2.H1.P1, where H1/P1 is the host/port of the originator and H2/P2 the same for the responder.

You can extract just the connections of interest using, for example: 

bro -f "host 1.2.3.4" -r tracefile contents

User Manual

Overview of Bro | Requirements | Installation and Configuration

Running Bro | Bro Output | Analysis of Incidents and Alarms | Customizing Bro

Intrusion Prevention Using Bro | Performance Tuning | Bulk Traces and Off-line Analysis

Reference Manual

Retrieved from "http://www.bro-ids.org/wiki/index.php/User_Manual:_Bulk_Traces_and_Off-line_Analysis"
Personal tools
User Management