Node: Reading a Bro Report, Previous: Sending (E-mail) Bro Reports, Up: Running Bro



Reading a Bro Report

The report is divided into three parts, the summary, incidents, and scans. The summary includes a rollup of incident information, Bro operational statistics, and network information. The incidents section has details for each Bro alarm. The scans section gives details about scans that Bro detected.

Parts of a Report

Header

The header gives some basic information about the report.

Site name is determined by the "Site name for reports" that was given during the installation and configuration process.

Start time and interval of the report are also entered during the configuration process.
See Bro Configuration.

Summary

This section give a numeric summary of the events that have happened in the reporting period.

Incidents shows the number of incidents that are recorded in the report period. An incident is any occurrence that is deemed worth investigating. An incident is formed by the triggering of one or more alarms.

Scanning Hosts are the number of specific IP addresses that have been detected scanning either into or out from the site.
A scan can be a:
A successful scan is when:
Signature Summary shows the total number of alarms triggered by signatures during the report period and the number of those that are unique. These numbers do not include alarms triggered by embedded Bro rules. See Understand What Triggered the Alarm(s).

Signature Distributions

This is a list of all signatures that were triggered during the report period.
NOTE: This section does not include alarms triggered by embedded Bro rules. See Understand What Triggered the Alarm(s).

Count is the number of times the signature was seen.

Unique Sources is the number of unique ip addresses that used the specific signature as an attack.

Unique Dests is the number of unique ip addresses that were attacked by the particular signature.

Unique Pairs are the number of unique source/dest ip address pairs where the source used the signature to attack the destination.

Incidents

This is the legend for reading the connections portions of the each incident. It is shown once on each report at the top of the Incidents section.
Each incident listed in the Bro report is assigned a unique, sequential, identification number prefixed with the organization identifier. This number is unique for all incidents, not just to the daily reports.
The Remote and Local hosts are identified by both ip address and hostname. The local hosts are those that are in local subnets as determined during Bro configuration. It is important to note that remote host does not infer attack host. Attacks can come from local hosts (indicating an inside hacker or a compromised host).
The network event(s) that Bro detects and identifies as possible attacks. There are two general types of alarms, those triggered by signatures and those triggered by Bro rules. See Understand What Triggered the Alarm(s), for more information about the differences. All alarms will include the date/time of the attack, the direction of the attack, and the ports involved. A SensitiveSignature will include the signature code and payload to help evaluate what triggered the alarm. Embedded Bro rules will include the payload and a session number which can be used for further investigation in the logs. See Examine HTTP FTP or SMTP Sessions.
A list of the first 25 connections after the first alarm is triggered that are attempted between the attacking and victim host. This tabulation of connections can be used to see if connections were accepted by the victim host, the amount of bytes transferred in both directions, the timing between the connections, and the ports involved.

Scans

This is a summary of the ip addresses involved in successful scans, the type of scans, and the attacks used by the scanners.

Connection Log Summary

This section gives a overview of the most prominent connections that have occurred during the report period, as shown by way of five tables.

The number of successful and unsuccessful connections and the ratio between the two.
Hosts that have initiated the most connections.
Hosts that have accepted connections.
The most active E-mail servers.
The services, as determined by port number, that have been involved in connections.

Byte Transfer Pairs

This section gives a summary of the ip address address pairs that have transferred the most bytes during the report period.

Annotated Example Report:

Site Report for ORG_NAME
from 2004/11/03 00:00:00 to 2004/11/04 00:00:00
generated on Sat Nov 13 12:02:48 2004
ORG_NAME will normally be replaced with "Site name for reports" that was given during the installation and configuration process.
========================================================================
Summary
========================================================================
Since this report is simple and only includes two incidents, the summary is rather uninteresting. A glance at this summary would reveal a rather "slow" day (for which you should be thankful).
  Incidents               2
  Scanning Hosts
    Successful            8
    Unsuccessful          15
  Signature Summary
    Total signatures          2
    Unique signatures         2
    Unique sources            2
    Unique destinations       2
    Unique source/dest pairs  1
Since the same to ip addresses were involved in both signature attacks, there is only one unique source/dest pair.
========================================================================
Signature Distributions
========================================================================
                                       Unique      Unique    Unique
  Signature ID               Count     Sources     Dests      Pairs
  ------------------------  --------  ---------  ---------  --------
  bro-687-5                 1          1          1          1
  bro-144-3                 1          1          1          1
========================================================================
Incident Details
========================================================================
The following legend appears once in every report at the top of the "Incidents" section
     # legend for connection type #
                  ------------------------------
         C Connection Status
           # number corresponds to alarm triggered by the connection
           * successful connection, otherwise unsuccessful.
         I Initiatator of Connection
           > connection initiated by remote host
           < connection initiated by local host
------------------------------------------------------------------------
Incident      ORG_NAME-000004524
--------------------------------
The host domain name "org_name.org" will normally be replaced by the local domain name. The IP addresses in this example have been synthesized from an imaginary range outside of the octal range. (We realize these ip addresses cannot exist). In this example the ip ranges 124.333.0.0/24 and 132.257.0.0/24 are considered the local subnets.
Remote Host: 84.136.338.21   p54877614.dip.hacker.net
 Local Host: 124.333.183.162 pooroljoe.dhcp.org_name.org
This attacker was successful in using an SQL attack and then downloaded a "tool" using TFTP. Both of these were detected and created the following alarms.
Alarm: SensitiveSignature
  1    bro-687-5: MS-SQL xp_cmdshell - program execution
       7/29 12:43:31                  84.136.338.21 -> 124.333.183.62
                                            566/tcp -> 1433/tcp
       signature code:
       signature bro-687-5 {
         ip-proto == tcp
         dst-port == 1433
         event "MS-SQL xp_cmdshell - program execution"
         tcp-state established,originator
         payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]
         \x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
       }
       payload: xp_cmdshell 'echo.> c:\\temp\\bcp.cmd'

Alarm: SensitiveSignature
  2    bro-1444-3: TFTP Get
       7/29 12:43:31                  84.136.338.21 -> 124.333.183.62
                                           2318/upd -> 69/udp
       signature code:
       signature bro-1444-3 {
           ip-proto == udp
           dst-port == 69
           event "TFTP Get"
           payload /\x00\x01/
           }
       payload: Runtime.exe
Looking at the "C" column below, the alarms are signified by "1" and "2", both occuring at 12:43:31. Since the attacks take place within one second, this is probably an automated attack. The remote host continues to connect to the victim host, using a different port each time to avoid detection. The large transfers from the local host to the remote host, subsequent to the alarmed attacks, signifies that the attack is probably successful.
Connections (only first 25 after first alarm are listed)
-----------
                 time     byte   remote        local   byte
 date   time   duration transfer  port  C   I   port transfer  protocol
----- -------- -------- -------- ------ ------ ----- -------- ----------
07/29 12:43:31        ?     566 b  4634 1   >  1433      467 b tcp/MSSQL
07/29 12:43:31        0         ?  2318 2  <     69       20 b udp/tftp
07/29 12:43:32    265.7       4 b  4638 *  <   2318      3.0kb udp
07/29 12:48:56        ?         ?  4640     >  2362          ? tcp
07/29 12:50:05        ?    11.4kb  4639 *  <   3333      8.6kb tcp
07/29 12:53:00        0         ?  4684 *   >  2362          ? tcp
07/29 12:53:07        ?         ?  4685 *   >  2362          ? tcp
07/29 12:53:59        ?         ?  4689 *   >  2362          ? tcp
07/29 12:54:14      6.1         0  4693 *  <   2380     94.2kb tcp
07/29 12:54:21       .5      50 b  4694     >  2381          0 tcp
07/29 12:54:23       .7         ?  4695    <   2382          0 tcp
07/29 12:54:25       .5      51 b  4696 *   >  2383          0 tcp
07/29 12:54:27       .5      61 b  4697 *   >  2384          0 tcp
07/29 12:54:28       .7      39 b  4698     >  2385          0 tcp
07/29 12:54:31       .5      41 b  4699 *   >  2386          0 tcp
07/29 12:54:33      1.2    4.9 kb  4700     >  2387          0 tcp
07/29 12:54:35     12.8  195.0 kb  4701 *  <   2388          0 tcp
07/29 12:54:53       .2         ?  4703    <   2390          0 tcp
07/29 12:54:54       .5      37 b  4704     >  2391          0 tcp
07/29 12:54:56      3.4      23 b  4705 *   >  2392          0 tcp
07/29 12:55:04     21.4  308.7 kb  4706     >  2393          0 tcp
07/29 12:55:27     50.7         ?  4707     >  2394          ? tcp
07/29 12:59:23        ?         ?  4775     >  1433          ? tcp
07/29 12:59:25        ?         ?  4774 *   >  3333          ? tcp
The next Incident demonstrates alarms triggered by embedded rules, rather than signatures.
------------------------------------------------------------------------
Incident      ORG_NAME-000004525
--------------------------------
Remote Host:  80.143.378.186     p508FB2BA.dip.t-dialin.net
 Local Host:  128.333.181.191      lemonade.lbl.gov
Since these alarms are triggered in the HTTP protocol, the actual trigger rules are found in the file bro/policy/http.bro.
Alarm: HTTP_SensitiveURI
       11/13 11:36:05                80.143.378.186 -> 128.333.181.191
                                           1560/tcp -> 80/tcp
       session: %4672
       payload: GET http://cn.edit.vip.cnb.yahoo.com/config/login?.redir
                _from=PROFILES

Alarm: HTTP_SensitiveURI
       11/13 11:53:54                80.143.378.186 -> 128.333.181.191
                                           2434/tcp -> 80/tcp
       session:%7386
       payload: GET http://l10.login.scd.yahoo.com/config/login?.redir_f
                rom=PROFILES?&
In the connections shown below, all connections are from the remote host to the local host, with no successful connections back. Also the payload above is seeking yahoo.com. Hence the likelihood is that this is not an attack.
Connections (only first 25 after alarm are listed)
-----------
                 time     byte   remote        local   byte
 date   time   duration transfer  port  C   I   port transfer  protocol
----- -------- -------- -------- ------ ------ ----- -------- ----------
11/13 11:36:05 1.109227      297   1560 *    >    80     1531       http
11/13 11:36:06        ?        ?   1560      >    80        ?       http
11/13 11:41:51 0.843209      301   3175 *    >    80     1533       http
11/13 11:41:52        ?        ?   3175      >    80        ?       http
11/13 11:47:37 2.562365      281   4701 *    >    80     1382       http
11/13 11:47:39        ?        ?   4701      >    80        ?       http
11/13 11:53:53 0.694131      293   2434 *    >    80     1529       http
11/13 11:53:54        ?        ?   2434      >    80        ?       http
11/13 11:59:23 0.685181      301   3975 *    >    80     1529       http
11/13 11:59:23        ?        ?   3975      >    80        ?       http
11/13 12:04:53 1.054925      289   1700 *    >    80     1527       http
11/13 12:04:54        ?        ?   1700      >    80        ?       http
11/13 12:11:56 2.579652      283   3442 *    >    80     1523       http
11/13 12:11:59        ?        ?   3442      >    80        ?       http
11/13 12:18:08 1.046188      289   1083 *    >    80     1531       http
11/13 13:14:42        ?        ?   3282      >    80        ?       http
11/13 13:16:46        ?        ?   4802      >    80        ?       http
11/13 13:19:04 1.731771        0   2764 *    >    80        0       http
11/13 13:19:07        ?        ?   2764      >    80        ?       http
11/13 13:20:42 0.994114      289   4142 *    >    80     1527       http
11/13 13:20:43        ?        ?   4142      >    80        ?       http
11/13 13:22:37 1.122448      292   1732 *    >    80     1523       http
11/13 13:22:38        ?        ?   1732      >    80        ?       http
11/13 13:24:40 1.042112      289   3179 *    >    80     1531       http
11/13 13:24:41        ?        ?   3179      >    80        ?       http

========================================================================
Scans (only first 100 shown)
========================================================================
The scans show below are considered "successful". Four interesting scans shown below are the ones originating from the 124.333 and 132.257 domains, since they are local domains. These should be investigated. The attack against 132.257.85.96 might also be investigated further. With each report, a review of the attacks will give an understanding of what types of scans are becoming "popular".
Scanning IP      Victim IP       Attack
132.257.70.234   multiple        bro-1344-5
132.257.52.64    multiple        bro-1367-5
63.251.3.51      multiple        bro-2570-6
124.333.181.191  multiple        bro-1599-7
210.313.36.53    132.257.85.96   >1000 port scan
211.300.24.151   132.257.85.96   >1000 port scan
124.333.95.0     62.214.34.30    >250 port scan
172.278.206.135  multiple       (3128/tcp)

========================================================================
Connection Log Summary
========================================================================
The connection log summary gives a general idea of what hosts are most active. The analyst may want to become familiar with any new hosts that appear on the next three lists and services that appear or radically change position on the fourth list
Site-wide connection statistics
    Successful:   4498748
    Unsuccessful: 35941140
    Ratio: 1:7.989

Top 20 Sources
                Host                      IP         Bytes   Conn. Count
  --------------------------------  ---------------  ------  -----------
                  ns1.org_name.org  124.333.34.186    3.7 G       683948
                  ns2.org_name.org  132.257.64.2      165 M       231245
             lemonade.org_name.org  124.333.181.191    88 M       217781
                  nsx.org_name.org  132.257.64.3      371 M       200935
               cinnamon.mining.com  207.5.380.138     4.5 M       103011
       node2.lbnl.nodes.planet.org  198.328.56.12     106 M        75725
       node1.lbnl.nodes.planet.org  198.328.56.11      85 M        73719
      microscope.dhcp.org_name.org  132.257.19.79      61 M        54024
                                    169.299.224.1     2.3 M        40348
                uhuru.org_name.org  132.257.10.97     423 M        39847
                                    132.257.77.246     13 M        29496
            googledev.org_name.org  124.333.41.57      13 M        24930
                                    64.46.248.43       60 M        19785
  ...16-141.sfo4.dsl.contactor.net  66.292.16.141     6.2 M        19048
                       rock.es.net  198.128.2.83      2.8 G        18459
             perry.Geo.college.EDU  124.32.349.11     1.7 M        17326
               google.org_name.org  124.333.41.70     8.5 M        15508
             egspd42212.search.com  65.264.38.212     3.1 M        15138
       hmb-330-042.MSE.college.EDU  124.32.349.20     222 M        14865
          1rodan.dhcp.org_name.org  132.257.19.170    7.7 M        11873

Top 20 Destinations
                Host                      IP         Bytes   Conn. Count
  --------------------------------  ---------------  ------  -----------
                  nsx.org_name.org  132.257.64.3       14 G      1571638
                  ns1.org_name.org  124.333.34.186    1.6 G       264976
                  ns2.org_name.org  132.257.64.2       80 M       218740
             lemonade.org_name.org  124.333.181.191   2.6 G       176788
                 CS.university.EDU  128.312.136.10     10 M        81622
                 g.old-servers.net  192.42.293.30      11 G        71407
          engram.CS.university.EDU  128.312.136.12    7.5 M        61309
               aulvs.realthing.com  207.288.24.156    792 M        50493
                   ns1.college.EDU  124.32.349.9      995 M        39977
                  rohan.superc.gov  128.550.6.34      4.7 G        32883
            sportsmed.starship.com  199.281.132.79     17 M        32152
                      ns2.yoho.com  66.263.169.170    2.1 G        24361
                uhuru.org_name.org  132.257.10.97      58 M        19785
                      g3.NSDDD.COM  192.342.93.32     488 M        19734
                   w4.org_name.org  124.333.7.51      447 M        19334
                 E.TOP-SERVERS.NET  192.303.230.10    195 M        19066
               mantis.org_name.org  124.333.7.39      395 M        18811
              postala.org_name.org  124.333.41.61     8.0 M        17283
                vista.org_name.org  132.257.48.146    488 M        15961
               calmail.college.EDU  128.32.349.103     73 M        15154

Top 20 Local Email Senders
                  Hostname                        IP          Conn. 
Count
  ----------------------------------------  ---------------  -----------
                         mta1.org_name.org  124.333.41.24           3869
                      postala.org_name.org  124.333.41.61           2850
                           ci.org_name.org  132.257.192.220          868
                      postal2.org_name.org  132.257.248.26           376
                           ee.org_name.org  132.257.1.10             173
                         math.org_name.org  124.333.7.22             131
                         rod2.org_name.org  132.257.112.183          121
                         gigo.org_name.org  124.333.2.54             110
                          mh1.org_name.org  124.333.7.48              82
                          stm.org_name.org  132.257.16.51             81
                                  dppg.net  124.333.7.87              77
                     listserv.org_name.org  124.333.41.40             50
                      letters.org_name.org  132.257.16.123            44
                      portnoy.org_name.org  132.257.2.11              37
                      glacier.org_name.org  132.257.2.152             25
                      mailbag.org_name.org  132.257.16.222            22
                        sseos.org_name.org  124.333.181.217           21
                 ntlin01.dhcp.org_name.org  124.333.183.79            20
                       persil.org_name.org  124.333.5.106             20
                      beauty8.org_name.org  124.333.5.33              16
  A maximum of 20 entries are show.
  There are another 39 that are not displayed.

Top 20 Services
  Service        Conn. Count  % of Total   Bytes In  Bytes Out
  ------------  ------------  ----------  ---------  ---------
  dns                3378522       75.10       30 G       11 G
  http                902573       20.06       18 G       11 G
  other                92913        2.07       14 G      249 G
  smtp                 35942        0.80      458 M      196 M
  https                33848        0.75      2.3 G      179 M
  ssh                  25515        0.57      977 M      1.0 G
  netbios-ssn          11004        0.24       65 M      9.5 M
  pop-3                 5494        0.12       58 M      3.6 M
  ftp-data              4495        0.10       37 G       34 G
  ldap                  3549        0.08      740 K      2.0 M
  ftp                   1061        0.02      1.3 M      873 K
  ident                  970        0.02      29602       9039
  printer                834        0.02        837       9176
  time                   645        0.01       2416        166
  imap4                  636        0.01       28 M       47 M
  nntp                   308        0.01      355 M      1.5 M
  pm_getport             238        0.01      13328       6664
  telnet                 164        0.00      469 K       7850
  ntp                     26        0.00       1344       1392
  X11                      6        0.00      652 K      64280
========================================================================
Byte Transfer Pairs
========================================================================
Once again, this summary gives a general idea of what hosts are most active. Radical changes to this list may indicate malicious activity.
Hot Report - Top 20
                                    Local      Remote     Conn.
  Local Host       Remote Host      Bytes      Bytes      Count
---------------  ---------------  ---------  ---------  ---------
124.333.28.60    128.265.128.131      123 G     5327 K  3930
124.333.28.60    128.265.128.132      123 G     5159 K  3927
132.257.64.3     198.328.2.83        2855 M     11.9 G  15097
124.333.34.186   192.342.93.30       2958 M     10.7 G  40033
132.257.64.3     61.283.32.172       7469 M      10393  11
124.333.41.57    128.256.6.34        12.0 M     4490 M  22360
124.333.181.191  81.257.197.163      1350 M     4430 M  3341
132.257.64.3     130.262.101.6        276 M     2200 M  13064
124.333.34.186   66.263.169.170       389 M     2095 M  17919
132.257.195.68   140.267.28.48       91.3 M     2029 M  6275
132.257.212.232  151.293.199.65       39155     1994 M  24
124.333.41.61    206.290.82.18         3401     1853 M  22
132.257.64.3     61.278.72.30        1798 M          7  1
124.333.181.191  61.263.209.246      16.8 M     1676 M  113
132.257.64.3     261.232.163.3       1544 M      24069  9
132.257.64.3     61.273.210.110      1517 M       4140  7
124.333.34.186   128.342.121.70      1351 M      222 M  14861
132.257.64.3     258.14.200.58       1350 M      24075  14
132.257.64.3     222.330.100.28      1219 M       4077  7
132.257.64.3     210.261.41.131      1162 M         25  3