Skip to content

LiamRandall/BsidesDC-Training

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
files-framework
files-framework
 
 
http-auth
http-auth
 
 
notice-framework
notice-framework
 
 
signature-framework
signature-framework
 
 
ssl-tls
ssl-tls
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

2013-10 BsidesDC Syllabus:

  1. Setup VM
  2. COPY files from stick to USB
  3. Install VirtualBox & VirtualBox Extensions
  4. Uncompress files- 7-zip on Windows, "The Unarchiver" on Mac
  5. Open the VM (replace BroTraining.vbox)
  6. logon bro/bro
  7. Class files, either:
  8. Mount the folder
  9. git clone https://github.com/LiamRandall/BsidesDC-Training.git
  10. Download zip from https://github.com/LiamRandall/BsidesDC-Training/archive/master.zip
  11. What is Bro?
  12. Bro is a language first
  13. Event-driven
  14. Built-in variables like IP address and time interval are designed for network analysis
  15. Built-in functions can be implemented in C++ for speed and integration with other tools
  16. A Tour of the Bro logs
  17. Run Bro against a PCAP (e.g. /opt/TrafficSamples/faf-traffic.pcap)
  18. Go through some of the logs (e.g. cat files.log | colorize)
  19. SSL/TLS
  20. Exercise: bro -C -r rsasnakeoil2.cap (pcap)
  21. Exercise: bro -r basic-gmail.pcap (pcap)
  22. HTTP Auth
  23. Exercise: bro -C -r http-auth.pcap (pcap)
  24. Exercise: bro -C -r http-auth.pcap http-auth.bro (script)
  25. bro-cut
  26. Exercise: bro -C -r http-basic-auth-multiple-failures.pcap
  27. What is the count of the distinct status_code: cat http.log | bro-cut status_code | sort | uniq -c | sort -n
  28. What were the status codes by username?
  29. What happened here: 1 - test Why is this line missing the status_code? (hint: conn.log)
  30. Notice Framework
  31. Exercise: bro -r 01_emailing_simple.bro synscan.pcap (script, pcap)
  32. Exercise: bro -r 02_emailing_complex.bro synscan.pcap (script, pcap)
  33. Exercise: bro -r 03_avoid_some_scanners.bro synscan.pcap (script, pcap)
  34. Exercise: bro -r 04_create_a_new_notice.bro mbam_download.trace (script, pcap)
  35. Walk-through 05_create_an_action.bro
  36. Intel Framework
  37. Exercise
  38. Exercise
  39. Exercise
  40. Files Framework
  41. File extraction demo 1. Extract files: bro -r /opt/TrafficSamples/exercise-traffic.pcap extract-all-files.bro (script) 2. Show files: nautilus extract_files/ 3. Play a video: ```totem "extract_files/"`ls -S1 extract_files | head -n 1````
  42. Writing a script: (shell, solution)
  43. Running the script: bro -r 01_notice_on_mimetype.bro /opt/TrafficSamples/faf-traffic.pcap
  44. Walk-through 02_run_exiftool.bro
  45. Signature Framework
  46. Exercise: bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap site/local.bro
  47. With file extraction: bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap site/local.bro extract-all-files.bro (script)
  48. Analyze requests/responses: for i in `bro-grep info.asp http.log | bro-cut orig_fuids resp_fuids | sed -e 's/\t/\n/' | grep -v '-'`; do cat "extract_files/extract-HTTP-$i"; echo; echo "-------"; done

About

2013-10 BsidesDC Training Resources

Resources

Readme

License

View license
Activity

Stars

9 stars

Watchers

4 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages