Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/user-manual/Bro-offline-analysis.texi

102 lines
3.4 KiB
Text
Raw Blame History

@strong{NOTE: This chapter still a very rough draft and incomplete}
Bro is most effective when used in conjunction with bulk traces
from your site. Capturing bulk traces just involves using @code{tcpdump}
to capture all traffic entering and leaving your site.
Bulk traces can be very valuable for forensic analysis of all traffic
in and out of a compromised host. It is also needed to run some
particularly CPU intensive policy analyzers that can not be done
in real time (as described in the Off-line Analysis section below).
Depending on your traffic load, you might be able to bulk capture on
the Bro host directly, but in general we recommend using a separate
packet capture host for this. Unless you want to buy a huge amount
of disk, you'll probably only be able to save a few days worth
of traffic.
@menu
* Bulk Traces ::
* Off-line Analysis ::
@end menu
@node Bulk Traces
@section Bulk Traces
@cindex Bulk Traces
The Bro distribution includes a couple scripts to make bulk capture
easier. These are:
@code{spot-trace}: called by @code{start-capture-all} script
@code{start-capture-all}: captures all packets. This script looks
for an existing instance of the @code{spot-trace} program, and if it finds one
creates a new capture file name with an incremented filename,
and continues capturing data. Bulk
capture files can get very large, so typically you run this as
a cron job every 1-2 hours.
@code{bro_bulk_compress.sh}: compress and/or delete old bulk trace files. Run as a cron job.
@comment XXX: need more details here: eg: edit bro.cfg settings, etc.
Since the bulk trace files can be huge, you often will want
to run tcpdump on the raw trace with a filter to extract the packets
of interest. For example:
@smallexample
tcpdump -r bulkXXX.trace -w goodstuff.trace 'host w.x.y.z'
@end smallexample
If you know that that packets you want are bounded by a time interval, say
it occurred 1:17PM-1:18PM, then you can speed this up a great deal
using @uref{ftp://ftp.ee.lbl.gov/tcpslice.tar.Z, tcpslice}.
For example:
@smallexample
tcpslice 13h15m +5m bulkXXX.trace | tcpdump -r - -w goodstuff.trace 'host w.x.y.z'
@end smallexample
It is recommend to use a somewhat broader time interval for tcpslice
(such as in the above example) than when
Bro reported the activity occurred, so you can catch additional related
packets cheaply.
@node Off-line Analysis
@section Off-line Analysis
@cindex Off-line Analysis
There are some policy modules that are meant to be run as off-line
analysis on bulk trace files. These include:
@code{backdoor.bro}: looks for standard services running on non-standard ports.
These services include ssh, http, ftp, telnet, and rlogin.
To run Bro on a tcpdump file, do something like this:
@comment ### XXX we really need a version of this that works with tcsh, grrrr ...
@smallexample
# set up the Bro environment (sh or bash)
. /usr/local/bro/etc/bro.cfg
/usr/local/bro/bin/bro -r dumpfile backdoor.bro
@end smallexample
To use Bro to extract the contents of a trace file, do:
@smallexample
bro -r tracefile contents
@end smallexample
which will load policy/contents.bro. It stores the contents of each
connection in two files, contents.H1.P1.H2.P2 and contents.H2.P2.H1.P1,
where H1/P1 is the host/port of the originator and H2/P2 the same for the
responder.
You can extract just the connections of interest using, for example:
@smallexample
bro -f "host 1.2.3.4" -r tracefile contents
@end smallexample
Reference in a new issue View git blame Copy permalink