Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

LiamRandall/BsidesDC-Training

Folders and files

NameName
Last commit message
Last commit date

Latest commit

History

9 Commits

Repository files navigation

2013-10 BsidesDC Syllabus:

  1. Setup VM
  2. COPY files from stick to USB
  3. Install VirtualBox & VirtualBox Extensions
  4. Uncompress files- 7-zip on Windows, "The Unarchiver" on Mac
  5. Open the VM (replace BroTraining.vbox)
  6. logon bro/bro
  7. Class files, either:
  8. Mount the folder
  9. git clone https://github.com/LiamRandall/BsidesDC-Training.git
  10. Download zip from https://github.com/LiamRandall/BsidesDC-Training/archive/master.zip
  11. What is Bro?
  12. Bro is a language first
  13. Event-driven
  14. Built-in variables like IP address and time interval are designed for network analysis
  15. Built-in functions can be implemented in C++ for speed and integration with other tools
  16. A Tour of the Bro logs
  17. Run Bro against a PCAP (e.g. /opt/TrafficSamples/faf-traffic.pcap)
  18. Go through some of the logs (e.g. cat files.log | colorize)
  19. SSL/TLS
  20. Exercise: bro -C -r rsasnakeoil2.cap (pcap)
  21. Exercise: bro -r basic-gmail.pcap (pcap)
  22. HTTP Auth
  23. Exercise: bro -C -r http-auth.pcap (pcap)
  24. Exercise: bro -C -r http-auth.pcap http-auth.bro (script)
  25. bro-cut
  26. Exercise: bro -C -r http-basic-auth-multiple-failures.pcap
  27. What is the count of the distinct status_code: cat http.log | bro-cut status_code | sort | uniq -c | sort -n
  28. What were the status codes by username?
  29. What happened here: 1 - test Why is this line missing the status_code? (hint: conn.log)
  30. Notice Framework
  31. Exercise: bro -r 01_emailing_simple.bro synscan.pcap (script, pcap)
  32. Exercise: bro -r 02_emailing_complex.bro synscan.pcap (script, pcap)
  33. Exercise: bro -r 03_avoid_some_scanners.bro synscan.pcap (script, pcap)
  34. Exercise: bro -r 04_create_a_new_notice.bro mbam_download.trace (script, pcap)
  35. Walk-through 05_create_an_action.bro
  36. Intel Framework
  37. Exercise
  38. Exercise
  39. Exercise
  40. Files Framework
  41. File extraction demo 1. Extract files: bro -r /opt/TrafficSamples/exercise-traffic.pcap extract-all-files.bro (script) 2. Show files: nautilus extract_files/ 3. Play a video: ```totem "extract_files/"`ls -S1 extract_files | head -n 1````
  42. Writing a script: (shell, solution)
  43. Running the script: bro -r 01_notice_on_mimetype.bro /opt/TrafficSamples/faf-traffic.pcap
  44. Walk-through 02_run_exiftool.bro
  45. Signature Framework
  46. Exercise: bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap site/local.bro
  47. With file extraction: bro -r /opt/PCAPS_TRAFFIC_PATTERNS/APT/mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap site/local.bro extract-all-files.bro (script)
  48. Analyze requests/responses: for i in `bro-grep info.asp http.log | bro-cut orig_fuids resp_fuids | sed -e 's/\t/\n/' | grep -v '-'`; do cat "extract_files/extract-HTTP-$i"; echo; echo "-------"; done

About

2013-10 BsidesDC Training Resources

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

Contributors

AltStyle によって変換されたページ (->オリジナル) /