The report is divided into three parts, the summary, incidents, and scans. The summary includes a rollup of incident information, Bro operational statistics, and network information. The incidents section has details for each Bro alarm. The scans section gives details about scans that Bro detected.
The header gives some basic information about the report.
Site name is determined by the "Site name for reports" that was given during the installation and configuration process.See Bro Configuration.
Start time and interval of the report are also entered during the configuration process.
This section give a numeric summary of the events that have happened in the reporting period.
Incidents shows the number of incidents that are recorded in the report period. An incident is any occurrence that is deemed worth investigating. An incident is formed by the triggering of one or more alarms.
Scanning Hosts are the number of specific IP addresses that have been detected scanning either into or out from the site.
A scan can be a:Signature Summary shows the total number of alarms triggered by signatures during the report period and the number of those that are unique. These numbers do not include alarms triggered by embedded Bro rules. See Understand What Triggered the Alarm(s).
- port scan: scanning several ports of a single host.
- network scan: scanning several hosts for open ports.
- signature scan: attacking multiple hosts with a specific vulnerability attack (signature).
- targeted attack: launching multiple signatures against a single host.
- password scan: attempts to guess passwords on telnet terminals.
A successful scan is when:
- the bytes sent by a single probe of a scan against a host or several hosts are more than three deviations away from the standard deviation of the rest of scan. In essence, where the bytes transferred on one connection is different than the rest of the scan other connections involved in the scan.
- a separate connection back to the attacker host is detected from the local network.
- the number of bytes sent back from the targeted victim host to the offender during a scan connection exceeds 20480.
This is a list of all signatures that were triggered during the report
period.
NOTE: This section does not include alarms triggered by embedded Bro
rules. See Understand What Triggered the Alarm(s).
Count is the number of times the signature was seen.
Unique Sources is the number of unique ip addresses that used the specific signature as an attack.
Unique Dests is the number of unique ip addresses that were attacked by the particular signature.
Unique Pairs are the number of unique source/dest ip address pairs where the source used the signature to attack the destination.
This is the legend for reading the connections portions of the each incident. It is shown once on each report at the top of the Incidents section.
Each incident listed in the Bro report is assigned a unique, sequential, identification number prefixed with the organization identifier. This number is unique for all incidents, not just to the daily reports.
The Remote and Local hosts are identified by both ip address and hostname. The local hosts are those that are in local subnets as determined during Bro configuration. It is important to note that remote host does not infer attack host. Attacks can come from local hosts (indicating an inside hacker or a compromised host).
The network event(s) that Bro detects and identifies as possible
attacks. There are two general types of alarms, those triggered by
signatures and those triggered by Bro rules.
See Understand What Triggered the Alarm(s), for more information about the differences.
All alarms will include the date/time of the attack, the direction of
the attack, and the ports involved. A SensitiveSignature will
include the signature code and payload to help evaluate what triggered
the alarm. Embedded Bro rules will include the payload and a session
number which can be used for further investigation in the logs.
See Examine HTTP FTP or SMTP Sessions.
A list of the first 25 connections after the first alarm is triggered that are attempted between the attacking and victim host. This tabulation of connections can be used to see if connections were accepted by the victim host, the amount of bytes transferred in both directions, the timing between the connections, and the ports involved.
This is a summary of the ip addresses involved in successful scans, the type of scans, and the attacks used by the scanners.
This section gives a overview of the most prominent connections that have occurred during the report period, as shown by way of five tables.
The number of successful and unsuccessful connections and the ratio between the two.
Hosts that have initiated the most connections.
Hosts that have accepted connections.
The most active E-mail servers.
The services, as determined by port number, that have been involved in connections.
This section gives a summary of the ip address address pairs that have transferred the most bytes during the report period.
Site Report for ORG_NAME from 2004/11/03 00:00:00 to 2004/11/04 00:00:00 generated on Sat Nov 13 12:02:48 2004
ORG_NAME will normally be replaced with "Site name for reports" that was given during the installation and configuration process.
======================================================================== Summary ========================================================================
Since this report is simple and only includes two incidents, the summary is rather uninteresting. A glance at this summary would reveal a rather "slow" day (for which you should be thankful).
Incidents 2
Scanning Hosts
Successful 8
Unsuccessful 15
Signature Summary
Total signatures 2
Unique signatures 2
Unique sources 2
Unique destinations 2
Unique source/dest pairs 1
Since the same to ip addresses were involved in both signature attacks, there is only one unique source/dest pair.
========================================================================
Signature Distributions
========================================================================
Unique Unique Unique
Signature ID Count Sources Dests Pairs
------------------------ -------- --------- --------- --------
bro-687-5 1 1 1 1
bro-144-3 1 1 1 1
========================================================================
Incident Details
========================================================================
The following legend appears once in every report at the top of the "Incidents" section
# legend for connection type #
------------------------------
C Connection Status
# number corresponds to alarm triggered by the connection
* successful connection, otherwise unsuccessful.
I Initiatator of Connection
> connection initiated by remote host
< connection initiated by local host
------------------------------------------------------------------------
Incident ORG_NAME-000004524
--------------------------------
The host domain name "org_name.org" will normally be replaced by the local domain name. The IP addresses in this example have been synthesized from an imaginary range outside of the octal range. (We realize these ip addresses cannot exist). In this example the ip ranges 124.333.0.0/24 and 132.257.0.0/24 are considered the local subnets.
Remote Host: 84.136.338.21 p54877614.dip.hacker.net Local Host: 124.333.183.162 pooroljoe.dhcp.org_name.org
This attacker was successful in using an SQL attack and then downloaded a "tool" using TFTP. Both of these were detected and created the following alarms.
Alarm: SensitiveSignature
1 bro-687-5: MS-SQL xp_cmdshell - program execution
7/29 12:43:31 84.136.338.21 -> 124.333.183.62
566/tcp -> 1433/tcp
signature code:
signature bro-687-5 {
ip-proto == tcp
dst-port == 1433
event "MS-SQL xp_cmdshell - program execution"
tcp-state established,originator
payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]
\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
}
payload: xp_cmdshell 'echo.> c:\\temp\\bcp.cmd'
Alarm: SensitiveSignature
2 bro-1444-3: TFTP Get
7/29 12:43:31 84.136.338.21 -> 124.333.183.62
2318/upd -> 69/udp
signature code:
signature bro-1444-3 {
ip-proto == udp
dst-port == 69
event "TFTP Get"
payload /\x00\x01/
}
payload: Runtime.exe
Looking at the "C" column below, the alarms are signified by "1" and "2", both occuring at 12:43:31. Since the attacks take place within one second, this is probably an automated attack. The remote host continues to connect to the victim host, using a different port each time to avoid detection. The large transfers from the local host to the remote host, subsequent to the alarmed attacks, signifies that the attack is probably successful.
Connections (only first 25 after first alarm are listed)
-----------
time byte remote local byte
date time duration transfer port C I port transfer protocol
----- -------- -------- -------- ------ ------ ----- -------- ----------
07/29 12:43:31 ? 566 b 4634 1 > 1433 467 b tcp/MSSQL
07/29 12:43:31 0 ? 2318 2 < 69 20 b udp/tftp
07/29 12:43:32 265.7 4 b 4638 * < 2318 3.0kb udp
07/29 12:48:56 ? ? 4640 > 2362 ? tcp
07/29 12:50:05 ? 11.4kb 4639 * < 3333 8.6kb tcp
07/29 12:53:00 0 ? 4684 * > 2362 ? tcp
07/29 12:53:07 ? ? 4685 * > 2362 ? tcp
07/29 12:53:59 ? ? 4689 * > 2362 ? tcp
07/29 12:54:14 6.1 0 4693 * < 2380 94.2kb tcp
07/29 12:54:21 .5 50 b 4694 > 2381 0 tcp
07/29 12:54:23 .7 ? 4695 < 2382 0 tcp
07/29 12:54:25 .5 51 b 4696 * > 2383 0 tcp
07/29 12:54:27 .5 61 b 4697 * > 2384 0 tcp
07/29 12:54:28 .7 39 b 4698 > 2385 0 tcp
07/29 12:54:31 .5 41 b 4699 * > 2386 0 tcp
07/29 12:54:33 1.2 4.9 kb 4700 > 2387 0 tcp
07/29 12:54:35 12.8 195.0 kb 4701 * < 2388 0 tcp
07/29 12:54:53 .2 ? 4703 < 2390 0 tcp
07/29 12:54:54 .5 37 b 4704 > 2391 0 tcp
07/29 12:54:56 3.4 23 b 4705 * > 2392 0 tcp
07/29 12:55:04 21.4 308.7 kb 4706 > 2393 0 tcp
07/29 12:55:27 50.7 ? 4707 > 2394 ? tcp
07/29 12:59:23 ? ? 4775 > 1433 ? tcp
07/29 12:59:25 ? ? 4774 * > 3333 ? tcp
The next Incident demonstrates alarms triggered by embedded rules, rather than signatures.
------------------------------------------------------------------------ Incident ORG_NAME-000004525 -------------------------------- Remote Host: 80.143.378.186 p508FB2BA.dip.t-dialin.net Local Host: 128.333.181.191 lemonade.lbl.gov
Since these alarms are triggered in the HTTP protocol, the actual
trigger rules are found in the file bro/policy/http.bro.
Alarm: HTTP_SensitiveURI
11/13 11:36:05 80.143.378.186 -> 128.333.181.191
1560/tcp -> 80/tcp
session: %4672
payload: GET http://cn.edit.vip.cnb.yahoo.com/config/login?.redir
_from=PROFILES
Alarm: HTTP_SensitiveURI
11/13 11:53:54 80.143.378.186 -> 128.333.181.191
2434/tcp -> 80/tcp
session:%7386
payload: GET http://l10.login.scd.yahoo.com/config/login?.redir_f
rom=PROFILES?&
In the connections shown below, all connections are from the remote host to the local host, with no successful connections back. Also the payload above is seeking yahoo.com. Hence the likelihood is that this is not an attack.
Connections (only first 25 after alarm are listed)
-----------
time byte remote local byte
date time duration transfer port C I port transfer protocol
----- -------- -------- -------- ------ ------ ----- -------- ----------
11/13 11:36:05 1.109227 297 1560 * > 80 1531 http
11/13 11:36:06 ? ? 1560 > 80 ? http
11/13 11:41:51 0.843209 301 3175 * > 80 1533 http
11/13 11:41:52 ? ? 3175 > 80 ? http
11/13 11:47:37 2.562365 281 4701 * > 80 1382 http
11/13 11:47:39 ? ? 4701 > 80 ? http
11/13 11:53:53 0.694131 293 2434 * > 80 1529 http
11/13 11:53:54 ? ? 2434 > 80 ? http
11/13 11:59:23 0.685181 301 3975 * > 80 1529 http
11/13 11:59:23 ? ? 3975 > 80 ? http
11/13 12:04:53 1.054925 289 1700 * > 80 1527 http
11/13 12:04:54 ? ? 1700 > 80 ? http
11/13 12:11:56 2.579652 283 3442 * > 80 1523 http
11/13 12:11:59 ? ? 3442 > 80 ? http
11/13 12:18:08 1.046188 289 1083 * > 80 1531 http
11/13 13:14:42 ? ? 3282 > 80 ? http
11/13 13:16:46 ? ? 4802 > 80 ? http
11/13 13:19:04 1.731771 0 2764 * > 80 0 http
11/13 13:19:07 ? ? 2764 > 80 ? http
11/13 13:20:42 0.994114 289 4142 * > 80 1527 http
11/13 13:20:43 ? ? 4142 > 80 ? http
11/13 13:22:37 1.122448 292 1732 * > 80 1523 http
11/13 13:22:38 ? ? 1732 > 80 ? http
11/13 13:24:40 1.042112 289 3179 * > 80 1531 http
11/13 13:24:41 ? ? 3179 > 80 ? http
========================================================================
Scans (only first 100 shown)
========================================================================
The scans show below are considered "successful". Four interesting scans shown below are the ones originating from the 124.333 and 132.257 domains, since they are local domains. These should be investigated. The attack against 132.257.85.96 might also be investigated further. With each report, a review of the attacks will give an understanding of what types of scans are becoming "popular".
Scanning IP Victim IP Attack 132.257.70.234 multiple bro-1344-5 132.257.52.64 multiple bro-1367-5 63.251.3.51 multiple bro-2570-6 124.333.181.191 multiple bro-1599-7 210.313.36.53 132.257.85.96 >1000 port scan 211.300.24.151 132.257.85.96 >1000 port scan 124.333.95.0 62.214.34.30 >250 port scan 172.278.206.135 multiple (3128/tcp) ======================================================================== Connection Log Summary ========================================================================
The connection log summary gives a general idea of what hosts are most active. The analyst may want to become familiar with any new hosts that appear on the next three lists and services that appear or radically change position on the fourth list
Site-wide connection statistics
Successful: 4498748
Unsuccessful: 35941140
Ratio: 1:7.989
Top 20 Sources
Host IP Bytes Conn. Count
-------------------------------- --------------- ------ -----------
ns1.org_name.org 124.333.34.186 3.7 G 683948
ns2.org_name.org 132.257.64.2 165 M 231245
lemonade.org_name.org 124.333.181.191 88 M 217781
nsx.org_name.org 132.257.64.3 371 M 200935
cinnamon.mining.com 207.5.380.138 4.5 M 103011
node2.lbnl.nodes.planet.org 198.328.56.12 106 M 75725
node1.lbnl.nodes.planet.org 198.328.56.11 85 M 73719
microscope.dhcp.org_name.org 132.257.19.79 61 M 54024
169.299.224.1 2.3 M 40348
uhuru.org_name.org 132.257.10.97 423 M 39847
132.257.77.246 13 M 29496
googledev.org_name.org 124.333.41.57 13 M 24930
64.46.248.43 60 M 19785
...16-141.sfo4.dsl.contactor.net 66.292.16.141 6.2 M 19048
rock.es.net 198.128.2.83 2.8 G 18459
perry.Geo.college.EDU 124.32.349.11 1.7 M 17326
google.org_name.org 124.333.41.70 8.5 M 15508
egspd42212.search.com 65.264.38.212 3.1 M 15138
hmb-330-042.MSE.college.EDU 124.32.349.20 222 M 14865
1rodan.dhcp.org_name.org 132.257.19.170 7.7 M 11873
Top 20 Destinations
Host IP Bytes Conn. Count
-------------------------------- --------------- ------ -----------
nsx.org_name.org 132.257.64.3 14 G 1571638
ns1.org_name.org 124.333.34.186 1.6 G 264976
ns2.org_name.org 132.257.64.2 80 M 218740
lemonade.org_name.org 124.333.181.191 2.6 G 176788
CS.university.EDU 128.312.136.10 10 M 81622
g.old-servers.net 192.42.293.30 11 G 71407
engram.CS.university.EDU 128.312.136.12 7.5 M 61309
aulvs.realthing.com 207.288.24.156 792 M 50493
ns1.college.EDU 124.32.349.9 995 M 39977
rohan.superc.gov 128.550.6.34 4.7 G 32883
sportsmed.starship.com 199.281.132.79 17 M 32152
ns2.yoho.com 66.263.169.170 2.1 G 24361
uhuru.org_name.org 132.257.10.97 58 M 19785
g3.NSDDD.COM 192.342.93.32 488 M 19734
w4.org_name.org 124.333.7.51 447 M 19334
E.TOP-SERVERS.NET 192.303.230.10 195 M 19066
mantis.org_name.org 124.333.7.39 395 M 18811
postala.org_name.org 124.333.41.61 8.0 M 17283
vista.org_name.org 132.257.48.146 488 M 15961
calmail.college.EDU 128.32.349.103 73 M 15154
Top 20 Local Email Senders
Hostname IP Conn.
Count
---------------------------------------- --------------- -----------
mta1.org_name.org 124.333.41.24 3869
postala.org_name.org 124.333.41.61 2850
ci.org_name.org 132.257.192.220 868
postal2.org_name.org 132.257.248.26 376
ee.org_name.org 132.257.1.10 173
math.org_name.org 124.333.7.22 131
rod2.org_name.org 132.257.112.183 121
gigo.org_name.org 124.333.2.54 110
mh1.org_name.org 124.333.7.48 82
stm.org_name.org 132.257.16.51 81
dppg.net 124.333.7.87 77
listserv.org_name.org 124.333.41.40 50
letters.org_name.org 132.257.16.123 44
portnoy.org_name.org 132.257.2.11 37
glacier.org_name.org 132.257.2.152 25
mailbag.org_name.org 132.257.16.222 22
sseos.org_name.org 124.333.181.217 21
ntlin01.dhcp.org_name.org 124.333.183.79 20
persil.org_name.org 124.333.5.106 20
beauty8.org_name.org 124.333.5.33 16
A maximum of 20 entries are show.
There are another 39 that are not displayed.
Top 20 Services
Service Conn. Count % of Total Bytes In Bytes Out
------------ ------------ ---------- --------- ---------
dns 3378522 75.10 30 G 11 G
http 902573 20.06 18 G 11 G
other 92913 2.07 14 G 249 G
smtp 35942 0.80 458 M 196 M
https 33848 0.75 2.3 G 179 M
ssh 25515 0.57 977 M 1.0 G
netbios-ssn 11004 0.24 65 M 9.5 M
pop-3 5494 0.12 58 M 3.6 M
ftp-data 4495 0.10 37 G 34 G
ldap 3549 0.08 740 K 2.0 M
ftp 1061 0.02 1.3 M 873 K
ident 970 0.02 29602 9039
printer 834 0.02 837 9176
time 645 0.01 2416 166
imap4 636 0.01 28 M 47 M
nntp 308 0.01 355 M 1.5 M
pm_getport 238 0.01 13328 6664
telnet 164 0.00 469 K 7850
ntp 26 0.00 1344 1392
X11 6 0.00 652 K 64280
========================================================================
Byte Transfer Pairs
========================================================================
Once again, this summary gives a general idea of what hosts are most active. Radical changes to this list may indicate malicious activity.
Hot Report - Top 20
Local Remote Conn.
Local Host Remote Host Bytes Bytes Count
--------------- --------------- --------- --------- ---------
124.333.28.60 128.265.128.131 123 G 5327 K 3930
124.333.28.60 128.265.128.132 123 G 5159 K 3927
132.257.64.3 198.328.2.83 2855 M 11.9 G 15097
124.333.34.186 192.342.93.30 2958 M 10.7 G 40033
132.257.64.3 61.283.32.172 7469 M 10393 11
124.333.41.57 128.256.6.34 12.0 M 4490 M 22360
124.333.181.191 81.257.197.163 1350 M 4430 M 3341
132.257.64.3 130.262.101.6 276 M 2200 M 13064
124.333.34.186 66.263.169.170 389 M 2095 M 17919
132.257.195.68 140.267.28.48 91.3 M 2029 M 6275
132.257.212.232 151.293.199.65 39155 1994 M 24
124.333.41.61 206.290.82.18 3401 1853 M 22
132.257.64.3 61.278.72.30 1798 M 7 1
124.333.181.191 61.263.209.246 16.8 M 1676 M 113
132.257.64.3 261.232.163.3 1544 M 24069 9
132.257.64.3 61.273.210.110 1517 M 4140 7
124.333.34.186 128.342.121.70 1351 M 222 M 14861
132.257.64.3 258.14.200.58 1350 M 24075 14
132.257.64.3 222.330.100.28 1219 M 4077 7
132.257.64.3 210.261.41.131 1162 M 25 3