Bro/Zeek Script
Loading Bro/ZEEK Script
Custom-Scripts for security onion
We will use the producer-consumer-ratio.zeek
script and load it into security onion for this example.
The end goal is to have a pcr
field added to conn.log. This will enable future analytics be completed easier in splunk. This can be done at time of search, in a constrained environment, but where possible it is recommended to use the method below.
Create a new directory under /opt/bro/share/bro/policy/
/opt/bro/share/bro/policy/
Add your custom script(s) and __load__.zeek
to this directory.
__load__.zeek
to this directory.Modify __load__.zeek
to reference the scripts in the custom-scripts
directory:
__load__.zeek
to reference the scripts in the custom-scripts
directory: Edit /opt/bro/share/bro/site/local.zeek
/opt/bro/share/bro/site/local.zeek
We want zeek to load the new scripts in /opt/bro/share/bro/policy/custom-scripts
So we will be adding @load custom-scripts
at the bottom of the file and saving the file.
Restart Bro.
Check for initial errors
Check /nsm/bro/logs/current/loaded_scripts.log
to see if your custom script(s) has/have been loaded.
Check /nsm/bro/logs/current/reporter.log
for clues if your custom script(s) is/are not working as desired.
--------------------------------------
What is PCR
Purpose: Find changes in traffic flows that indicate exfil
Data Required: session data (argus, netflow/ipfix, or bro-logs)
Collection Considerations:
Analysis Techniques: Identify changes in host roles, and investigate. PCR is a normalized metric of traffic ratios and from a host ranging from -1 to 1.
PCR | host role |
1.0 | pure push - FTP upload, multicast, beaconing |
0.4 | 70:30 export - Sending Email |
0.0 | Balanced Exchange - NTP, ARP probe |
-0.5 | 3:1 import - HTTP Browsing |
-1.0 | pure pull - HTTP Download |
Below is the script that we pulled with the wget
command above
wget
command aboveThis script can be used to implement the Producer Consumer Ratio as described by http://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_90063.pdf
Last updated