Bits and bytes of a hacker.

Granular Network Security Monitoring With Bro IDS

If you’re a security researcher and haven’t kicked the wheels yet of Doug Burks' Security Onion, you’re missing out on a enormous asset to your security arsenal. The Onion provides complete insight into your network providing you with a full IDS (Intrusion Detection System) and NSM (Network Security Monitoring) capabilities.

One of the greatest tools Security Onion provides is Bro logging. The Security Onion takes less than an hour to setup and configure, but once connected to a network tap and put in “promiscuous” mode, Bro logging kicks in and begins capturing, logging, and compressing every packet flowing into and out of your network.

Given this visibility sparked me to write a little bash script building off of Sketchymoose’s python written URL checker, which uses Virustotal’s API to check a large quantity of given URLs for any detections among 51 scanning engines.

The script coupled with the Onion is designed to find any and all domains visited by anyone on the network that end in foreign country codes (.hk .ru .cc …etc) over the duration of 24 hours at 11:55 pm. These domains are then scanned by Virus Total and those that come back as being malicious are recorded.

An email will then be sent at midnight informing the incident response team which endpoints had visited malicious sites and for how long each connection persisted after the initial connection had been made.

If a connection was made to a known malicious site and the connection lasted dozens of minutes or hours, it can be assumed that the endpoint was more than likely compromised. At this point the endpoint would be further examined and an investigation can be made to determine whether or not any sensitive data was put at risk.

Follow these steps to configure the script.

  1. Install Security Onion and configure the tap interface to monitor in promiscuous mode.

  2. Create a directory in the /opt/ folder called URLchecker.

  3. Inside URLchecker, place CountryCodeChecker.sh and both Sketchymoose’s scripts, urlChecker.py and parseCheckerFile.py.

  4. Edit urlChecker.py and provide your Virus Total API key (free once you sign up.) Also, be sure to uncomment the timeout.sleep functions if you have a free license. Comment out line 50, 122,126, and 129 to lessen the verbosity of the script. If you encounter errors regarding invalid JSON variables, I fixed this by changing line 121 to if count1 % 4 == 0: and changing my sleep intervals to 30 seconds instead of 15.

  5. Edit parseCheckerFile.py by changing line 30 to [base:base+4] and line 31 to if "Link: " in l:.

Make CountryCodeChecker.sh executable with: sudo chmod u+x CountryCodeChecker.sh

Follow this tutorial to setup SSMTP to allow cron to email you the script output, Gmail works fine but if you have an internal email server, that should work too.

To configure cron run crontab -e as root, select nano as your editor, then put in the bottom of your crontab file: MAILTO="" 55 23 * * * /opt/URLchecker/CountryCodeChecker.sh | /usr/sbin/ssmtp [email protected]