detect intrusions with bro
AwareOS is capable of detecting intrusions from both external and internal sources. External threats are identified based on the traffic analysis. Internal threats are discovered with divergence from system snapshots. We leverage several open source software to present a unified intrusion protection environment. This environment is augmented with a pre-defined ruleset that detects common threat signatures. When coupled with the system firewall, awareOS acts as an intrusion protection system as well.
Configuration methods of Suricata and BRO are fundamentally different as the former relies on signatures whereas BRO has its own programming language. In awareOS, both software constitute the basis for detecting external threats. To give you an idea of what it looks like, the sample Bro script below may be used to identify compromised hosts based on the frequency of DNS requests originating from that host.
Bro script here may be used to identify compromised hosts based on the frequency of DNS requests originating from that host.
@load base/frameworks/sumstats
event bro_init() {
local r1 = SumStats::Reducer($stream="dns.lookup", $apply=set(SumStats::UNIQUE));
SumStats::create([$name="dns.requests.unique",
$epoch=6hrs,
$reducers=set(r1),
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = {
local r = result["dns.lookup"];
print fmt("%s did %d total and %d unique DNS requests in the last 6 hours.",
key$host, r$num, r$unique);
}]);
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) {
if ( c$id$resp_p == 53/udp && query != "" )
SumStats::observe("dns.lookup", [$host=c$id$orig_h], [$str=query]);
}