Previous: Sending (E-mail) Bro Reports, Up: Running Bro



4.4 Reading a Bro Report

The report is divided into three parts, the summary, incidents, and scans. The summary includes a rollup of incident information, Bro operational statistics, and network information. The incidents section has details for each Bro alarm. The scans section gives details about scans that Bro detected.

4.4.1 Parts of a Report

Summary
Report Period: The beginning and ending date/times that define the window of network data used to produce the report.

Incident Count: The number of each type of incident that are detailed in the report period

System Statistics: Operating system statistics that give some idea of the 'health' of Bro's operation.

Traffic Statistics: Statistics gathered by Bro that may or may not have significant value in evaluating intrusions, but are useful in understanding the network environment.
Incidents
Incident: Each incident generated by the Bro installation is assigned a unique identification number. This number is unique for all incidents, not just to the daily report.

Incident Type: Bro can detect attacks, but cannot make a definitive judgment if an attack is successful without further investigation and/or knowledge of the unique network environment. Bro uses an expert knowledge algorithm to make a determination if an incident is 'Likely Successful', 'Unknown' (not enough information to make a guess), or 'Likely Unsuccessful'.

Local Host: The local computer involved in the incident; usually the victim.

Remote Host: The remote computer involved in the incident; usually the attacker.

Alarm(s:) The network event(s) that Bro detected and identified as probable attacks.

Successful Connections: Connections where one host initiates a network request and the other host participates in the subsequent requested transactions.

Unsuccessful Connections: Connections where one host initiates a network request and the other host refuses the request.

Unknown Connections: Connections where one host initiated a network request, but it is unclear if the other host participated in a successful transaction.

Connections History: A summary tabulation of successful and unsuccessful connections made in specific time periods. The tabulations are accumulative. That is, the connections counted under 3 days will also be counted in each subsequent column.
Scans

Scans are repetitive (similar) probes, searching several victim hosts for vulnerabilities. The scan section gives the attack host instigating the scan, the date/time of the scan, and the ports that were probed.

4.4.2 Example Report:

     
     Bro Report                                              Organization Name 
     =========================================================================
     Summary                        July 28, 2004 17:01 to July 29, 2004 17:00
     =========================================================================
      Incident       Likely Successful          1	
      Summary        Unknown                    0			
                     Likely Unsuccessful        0
                     Scans                     10
     
      System         Bro disk space:   <% at time of report generation>
      Statistics     Bro Process cpu:  <time>
                     Bro restarts:     <date/time>
                     System reboots:   <date/time>
     
      Traffic        Number of packets:       <count>
      Statistics     Number of valid packets: <count>  <% of total>
                     Protocol summary
                     Http: <count>   <% of total>
                     SSH : <count>   <% of total>
                     SMTP: <count>   <% of total>
                     Etc.
                     Average bandwidth:
                     Peak bandwidth:
     =========================================================================
     Incident Details
                            legend for connection type
                     > connection initiated by remote host
                     < connection initiated by local host
                     # number corresponds to alarm triggered by the connection
                     * successful connection, otherwise unsuccessful
     =========================================================================
     Incident     ORGCODE-000002                             LIKELY SUCCESSFUL
     ---------------------
     Remote Host: 84.136.138.21   p54877614.dip.hacker.net
      Local Host: 124.333.183.162 pooroljoe.dhcp.org.com
     
     Alarm(s) 1 MS-SQL xp_cmdshell - program execution
                Jul 29 12:43 84.135.118.20 -> 128.3.183.62
              2 TFTP Get Runtime.exe
                Jul 29 12:43 128.3.183.62 -> 84.135.118.20
     
     Connections (only first 25 after alarm are listed)
     -----------
                      time      byte   remote       local    byte
      date   time   duration  transfer  port  type   port  transfer  protocol
     ----- -------- -------- --------- -----  ---- ------ --------- ----------
     07/29 12:43:31        ?     566 b  4634  1  >  1433      467 b  tcp/MSSQL
     07/29 12:43:31        0         ?  2318  2 <     69       20 b  udp/tftp
     07/29 12:43:32    265.7       4 b  4638  * <   2318      3.0kb  udp
     07/29 12:48:56        ?         ?  4640     >  2362          ?  tcp
     07/29 12:50:05        ?    11.4kb  4639  * <   3333      8.6kb  tcp
     07/29 12:53:00        0         ?  4684  *  >  2362          ?  tcp
     07/29 12:53:07        ?         ?  4685  *  >  2362          ?  tcp
     07/29 12:53:59        ?         ?  4689  *  >  2362          ?  tcp
     07/29 12:54:14      6.1         0  4693  * <   2380     94.2kb  tcp
     07/29 12:54:21       .5      50 b  4694     >  2381          0  tcp
     07/29 12:54:23       .7         ?  4695    <   2382          0  tcp
     07/29 12:54:25       .5      51 b  4696  *  >  2383          0  tcp
     07/29 12:54:27       .5      61 b  4697  *  >  2384          0  tcp
     07/29 12:54:28       .7      39 b  4698     >  2385          0  tcp
     07/29 12:54:31       .5      41 b  4699  *  >  2386          0  tcp
     07/29 12:54:33      1.2    4.9 kb  4700     >  2387          0  tcp
     07/29 12:54:35     12.8  195.0 kb  4701  * <   2388          0  tcp
     07/29 12:54:53       .2         ?  4703    <   2390          0  tcp
     07/29 12:54:54       .5      37 b  4704     >  2391          0  tcp
     07/29 12:54:56      3.4      23 b  4705  *  >  2392          0  tcp
     07/29 12:55:04     21.4  308.7 kb  4706     >  2393          0  tcp
     07/29 12:55:27     50.7         ?  4707     >  2394          ?  tcp
     07/29 12:59:23        ?         ?  4775     >  1433          ?  tcp
     07/29 12:59:25        ?         ?  4774  *  >  3333          ?  tcp
     
     Remote Host Connection History (all successful/unsuccessful to site)
           24 hrs     |      3 days      |      7 days     |      30 days
     -------------------------------------------------------------------------
            14/10     |        0/0       |        0/0      |        0/0
     -------------------------------------------------------------------------
       Total since remote host first seen on 07/29/04: 14/10
     
     =========================================================================
     Scans
     =======================================================================
     ==
     Date Dropped		Host			             Port Scanned
     -------------------------------------------------------------------------
     Jul 29 13:14 n219077002119.netvigator.com                     (3128/tcp)
     Jul 29 13:23 node1.lbnl.nodes.planet-lab.org                  (49702/tcp)
     Jul 29 13:30 213-145-189-50.dd.nextgentel.com                 (4899/tcp)
     Jul 29 13:32 211.55.52.67                                     (1034/tcp)
     Jul 29 13:52 user-69-1-11-116.knology.net                     (3128/tcp)
     
     *************************************************************************