Zeek is
the jack of all trades for network programming. Given its flexibility,
you can do a variety of things with including signature detection that
is more advanced than what Suricata or Snort offers.
You will need to simulate the attacks for this assignment and build the detection scripts in Zeek.
Links to an external site.
),
so, to simplify the problem, simulate a DNSQuery of data that will not
be canonical. Since this is a warm exercise, that means any request
with larger than 52 chars total. Build a rule that can detect this
non-compliant packet and raise a Notice (bro's alerting module). Bro has
a library for supporting DNS operations already.The notice type needs
to be "DNS::Exfiltration
"and the message needs tosay"Long
Domain. Possible DNS exfiltration/tunnel by 8.8.8.8. Offending domain
name:
abcabcabcabacabcabcabcabacabcabcabcabacabcabcabcabacabcabcabcabacabcabcabcabac.example.com
"(replace
the ip with ip and domain name with domain anme query that the alert is
generated for automaticallyusing fmt fucntion). To help speed things
up, you will use specific pcap files provided here:
dns-normal.pcap
Download dns-normal.pcap
dns-tunnel.pcap
Download dns-tunnel.pcap
.
In addition to the standard libraries that Zeek has, you can write
your own preprocessing rules for packets for virtually any protocol.
MQTT (
https://thenewstack.io/mqtt-protocol-iot/
Links to an external site.
) is an IoT protocol that has a type of suspicious activity where a device may subscribe to all "feeds" (
https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b
Links to an external site.
).
Detect Subscribe all suspicious traffic for MQTT protocol. The biggest
challenge is to build a definition of MQTT so that Zeek can actually
read it and provide you with access to specific fields. There are
actually two options, the easier all-in-one bro script, the more
difficult is using BINPAC and built the definitions of a packet along
with the events (this is in C++ not Bro and requires to build Bro from
source). For our purposes we will use the first option (all in one bro,
more inefficient but easier to get working). For generating new MQTT
traffic use this:
https://www.npmjs.com/package/mqtt-m
Links to an external site.
.
You can also simulate the subscribe all attack and capture it using
tcpdump. Note: MQTT messages can be stacked into one packet! If a
subscribe all on main topic (#) or subtopic (subtopic/#) is detected,
raise a notice (reports automatically to notice.log).
The notice type needs to be "Mqtt::Subscribe"
and the message needs tosay"140.160.140.131 attempts to subscribe to SUB/# topics."
- replace the ip with ip that the alert is generated for automatically using fmt function.
- replace the SUB/# with whatever the topic subscription is in the packet
To speed things up, youwill use the files provided here for testing:
mqtt-normal.pcap
Download mqtt-normal.pcap
mqtt-bad.pcap
Download mqtt-bad.pcap
.
- A few points:
- You do not need to parse all MQTT messages, just the one for detecting the exploit.
- Use Wireshark to see how the messages look like and navigate through the byte offsets (it will help you tremendously).
Useful
Use this to get your bro script started:https://www.bro.org/sphinx-git/frameworks/logging.html
Atom has support for syntax highlighting for brogramming. Install using:
apm install language-bro
What to use for the assignment
You can utilize VirtualBox (or some other VM) to build your testing
machines. Lab computers may be more appropriate if you load demanding
machines. Useful distros include:
Links to an external site.
SecurityOnion:
https://securityonion.net/
Links to an external site.
Kali:
https://www.kali.org/
SO is by far the most demanding requiring a min of 8GB if ELK stack
is utilized. With SELKS, you can get away with 3GB. SELKS contains ELK
stack as well as Suricata as the main IDS. Kali is useful for pentests
but many of these you can initiate from your host computer. If you do
not have sudo access in the host machine check this guide if you need to
build several tools from source:Installing with no sudo access
Hints
Start with a basic script (Zeek/Bro has a basic script in their documentation -
https://docs.zeek.org/en/stable/examples/scripting/
Links to an external site.
and
https://docs.zeek.org/en/current/scripting/basics.html#understanding-scripts
Links to an external site.
).
This will save you a lot of guess work. Then, adapt that script to what
you need. The major task for both bullet points of the assignment is to
find the right event for what you need to do (what packet you will be
parsing and how). Once you have that event you craft the programming
logic in that event as well as call other functions.
Useful commands:
NOTICE - the function that raises the alerts (yes it is in capital letters)
|string| - gives you the length of a string
bytestring_to_count
- gives you an integer based on a bytestring (i.e., hex to int)
string[5:6] - bro support string splicing, you'll need it
Reporter/.*test.*/ == string
- regular expressions can be used using comparison operators
80/tcp - ports are specified with their protocols
To test your script against a pcap file:
zeek -r test.pcap myfile.bro
What to submit
- An automated testing suite (ATHINA -AutomatedTestingHomeworkInterface forN
Assignments)
will assist in verifying that your application is compliant with the
project requirements. Once you submit the location of your files, it
will test the repository and submit 90% of your grade depending on the
outcome of the tests. With every new commit to your repository, it will
re-evaluate and submit a new grade. This is meant to give you immediate
feedback and multiple opportunities to correct your code and get full
points for the assignment.
- I will also test your program by reading your source code and evaluating that everything is in order.
- Your program must be developed in a gitversion control repository.Use WWU CS's GitLab (https://gitlab.cs.wwu.edu/
Links to an external site.
).The repository must be named
Bro
BasedDetection. Set the visibility settings onPrivateand add my account (tsikerm) as
Masterto your repository.
- In your repository include the following files only:
mqtt.bro, dnsexfilitration.bro,
dns-normal.pcap
Download dns-normal.pcap
,
dns-tunnel.pcap
Download dns-tunnel.pcap
,
mqtt-normal.pcap
Download mqtt-normal.pcap
,
mqtt-bad.pcap
Download mqtt-bad.pcap
.
Your code will be tested using the following commands: zeek -r
mqtt-normal.pcap mqtt.bro. This means that all your configuration and
files need to be self-contained within your zeek script.
Directions to get
WWU CS's GitLab and ATHINA reports
1. Follow https://access.cs.wwu.edu/pages/csci_vpn/windows/cs_win.html to get the vpn client setup
2. login with dietzla and C!nn@m0n!1998
To get the ATHINA reports that test your code
1. go to https://wwu.instructure.com/
3. Click on the CISS469 class and then grades
5. copy the link and paste and it will download a text file showing progress