MHR Testing with Bro

[Damon Rouse]

Quick question...What would be the best way to test that this functionality within Bro is working correctly?

I've never seen a notice for any MHR items and find that hard to believe with my user base. I've even tested by replaying a couple pcaps that should have triggered hits.

Thanks
Damon

[Scott Runnels]

Try giving it a manual check first.

Let's use Poison Ivy as an example:

Poison Ivy has a SHA1 of dd639a7f682e985406256468d6df8a717e77b7f3

So, we should be able to do a lookup of that hash with team cmyru!

nslookup -q=txt dd639a7f682e985406256468d6df8a717e77b7f3.malware.hash.cymru.com

If it's known we'll get an epoch and a certainty value.  

➜ ~ nslookup -q=txt dd639a7f682e985406256468d6df8a717e77b7f3.malware.hash.cymru.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53


Non-authoritative answer:
dd639a7f682e985406256468d6df8a717e77b7f3.malware.hash.cymru.com text = "1318559706 21"

Authoritative answers can be found from:

So, that's a known bad!  

and if downloaded by a machine that is being monitored should fire the Notice from Bro.

TL;DR

Take a look and find a copy of Poison Ivy and it's SHA1.  Test it manually, then download that copy.

-Scott

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Damon Rouse]

Good deal, exactly what I was looking for, thanks Scott!  I'll give this a shot a little later this afternoon.

D

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/bNx7u-0QlFI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

[Damon Rouse]

Hey Scott

I actually just tried with the sample you posted. I downloaded it directly from VT...nothing in my notice or files log for that MD5 or SHA1

Just for fun, I spun up a SO VM and tried it from there too...nada =/

I'm kind of at a loss as to why the MHR stuff isn't working correctly.

Thanks
Damon

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

[Scott Runnels]

Hi Damon

Can you find the corresponding HTTP log or CONN log for the connection to VT from your host at the time?  If not, it would seem that machine is not in scope for your monitoring.  Are you using a SPAN port or a TAP?

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Damon Rouse]

Hi Scott

Yup, I see all the corresponding logs for the connection. I even see all the corresponding info in the files.log for the connection, just not any of the hash info. This seems really odd to me. BTW, the traffic is coming from a SPAN.

The real odd thing is that I snagged a pcap of Zeus Gameover traffic and replayed it locally via Bro. It generated the suspected logs and the MHR entries in the notice.log file.

Just double checked a direct download for that file from VT in my VM. Same result, no associated MHR entries anywhere...

Thanks Scott
Damon

[Scott Runnels]

Any chance you're missing the following in /opt/bro/share/bro/site/local.bro?

@load frameworks/files/hash-all-files

[Damon Rouse]

Nope, it's in there =/

#### Network File Handling ####

# Enable MD5 and SHA1 hashing for all files.

@load frameworks/files/hash-all-files

# Detect SHA1 sums in Team Cymru's Malware Hash Registry.

@load frameworks/files/detect-MHR

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/bNx7u-0QlFI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

[Liam Randall]

Damon,

Check to make sure you're not missing pieces of the file:

cat files.log  | bro-cut fuid seen_bytes      total_bytes     missing_bytes   overflow_bytes md5 sha256

You should also check your conn.log

thanks,

LIam

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

[Damon Rouse]

Here's the output after re-downloading from VT in my SO VM just now

drouse@sovm:/nsm/bro/logs/current$ ls

communication.log  dns.log    ssl.log     stdout.log  x509.log

conn.log           files.log  stderr.log  weird.log

drouse@sovm:/nsm/bro/logs/current$ cat files.log  | bro-cut fuid seen_bytes      total_bytes     missing_bytes   overflow_bytes md5 sha256

FmKFrW3ozUoCIkCKWg 1211 - 0 0 9f7cbba8edd1ee118d5c88e6b334d4a7 -

FQkeab3r3KqpRJqXKh 1065 - 0 0 23bb075facfbfb026935b31fb6ee063b -

F2bv4s44UDrS2lZNI6 1410 - 0 0 6dfaa03bf5390be0c5c97afbc4f877cb -

FCtBWD2rqv7rrmlxe1 1012 - 0 0 46f1bf2f24dd3aa9cfd760a3bade5ec7 -

FrmOX21vJoO6bKuFSg 897 - 0 0 2e7db2a31d0e3da4b25f49b9542a2e1a -

Here's the corresponding conn.log entry

timestamp epoch_time host program class srcip srcport dstip dstport proto bytes_in service conn_duration bytes_out pkts_out pkts_in resp_country_code msg

2015-Feb-20 21:05:17 1424466317 127.0.0.1 bro_conn BRO_CONN 192.168.84.129 35242 74.125.34.46 443 TCP 0 - - - US 1424466312.982282|CvnlZY13PnUZLWpsN7|192.168.84.129|35242|74.125.34.46|443|tcp|-|-|-|-|OTH|T|0|C|0|0|0|0|(empty)|-|US|sovm-eth0

2015-Feb-20 21:06:29 1424466389 127.0.0.1 bro_conn BRO_CONN 192.168.84.129 35242 74.125.34.46 443 TCP 18779 - 69.496123 45 US 1424466313.016541|CVcUvV1dbk1zmWJhHi|192.168.84.129|35242|74.125.34.46|443|tcp|-|69.496123|0|18779|SHR|T|0|hCadf|0|0|45|20583|(empty)|-|US|sovm-eth0

Thanks

Damon

[Doug Burks]

Hi Damon,

Are you downloading over HTTPS?

Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Damon Rouse]

Hi Doug...Yes, the download is over HTTPS

[Doug Burks]

Have you tried downloading over HTTP?

[Damon Rouse]

Not yet, but I'll try that from a remote site later day with the same sample.  Should the MHR functionality work over HTTPS?

[Damon Rouse]

Doug

I just tested via HTTP on my stock SO VM and via a machine monitored by our production SO environment. Things worked correctly in both places. I see the expected MHR entries in the notice.log.

So, I take it the MHR functionality won't work over HTTPS?

Thanks
Damon

[Liam Randall]

Damon,

No.  When Bro sees SSL/TLS the only files it is able to extract are the x509 certificates.

Thanks,

Liam Randall

[Damon Rouse]

Gotcha, makes sense.  Thanks for the help everyone and I'm glad things are actually working as they should.

D

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/bNx7u-0QlFI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.