Introduction
Bro (www.bro-ids.org) is an amazing suite of software which can do things that no other IDS on the planet can come close to. In this post, I want to cover one such feature: SSL monitoring. Bro has a true understanding of the SSL being used on your network and will efficiently process certificates on the wire for a variety of purposes. Out of the box, Bro can very efficiently and accurately identify invalid and self-signed certificates, going so far as to actually walk the certificate chain using the certs that ship with Mozilla browsers for a true test. In addition, Bro will extract all of the relevant details from certificates for logging purposes, which can provide a handy historical record of the sites and companies involved in SSL, which is the next best thing to performing proxy/MITM SSL inspection.
Installing Bro
This quickstart guide will show how to get up and running with Bro on Ubuntu. I hope that most of the commands and tips will apply to other operating systems and Linux distros, but there will surely be some differences.
Begin by making sure we've got our prerequisites in order:
apt-get install git libssl-dev swig libmagic-dev libgeoip-dev
Grab the latest Bro from the git repository. Beware, this is cutting edge code, and you may need to download the latest stable tarball from www.bro-ids.org if the git build fails:
git clone --recursive git://git.bro-ids.org/bro
Now you will have bro and auxiliary files in a directory named "bro." cd bro
I have discovered that on some Linux distros (SuSE, for one), the version of CMake is less than 2.6.3 and so it needs to be downloaded from www.cmake.org and custom installed as Bro requires 2.6.3 or better.(edited: "--enable-brov6" apparently has memory leaks right now.)
./configure --prefix=/usr/local/bro-git
There are a fair amount of options here, but the configure script does a pretty good job of finding out if you've got things installed already and adjusting accordingly. Since we're looking to do SSL inspection, at a minimum, you'll need to make sure you've got the OpenSSL development libraries installed, which we've done above with apt-get. If all goes, well, we do the make:
make && cd build && sudo make install
Now we will add a custom bro script which Seth Hall wrote which will print to STDOUT any SSL certificates which were created less than 30 days ago.cd /usr/local/bro-git/share/bro/site/
vi young-ssl.bro
Paste in the following (edited: removed "@load protocols/ssl"):event SSL::log_ssl(rec: SSL::Info)
{
# We have to check if there is a not_valid_before field because not
# all SSL transactions actually exchange certificates (i.e. resumed session).
if ( rec?$not_valid_before && rec$not_valid_before >= network_time() - 30 days &&
rec$not_valid_before <= network_time() )
{
print fmt("%s is using a certificate that just became valid in the last 30 days (%T) (%s)",
rec$id$resp_h, rec$not_valid_before, rec$subject);
}
}
Now we activate it in the config:{
# We have to check if there is a not_valid_before field because not
# all SSL transactions actually exchange certificates (i.e. resumed session).
if ( rec?$not_valid_before && rec$not_valid_before >= network_time() - 30 days &&
rec$not_valid_before <= network_time() )
{
print fmt("%s is using a certificate that just became valid in the last 30 days (%T) (%s)",
rec$id$resp_h, rec$not_valid_before, rec$subject);
}
}
echo "@load young-ssl" >> local.bro
Create some basic log directories for a test run:mkdir /tmp/bro-logs
cd /tmp/bro-logs
Start bro (assuming we want to monitor eth1):
sudo /usr/local/bro-git/bin/bro -i eth1 local
Let it run for awhile, then have a look at the various logs created. ssl.log will contain a list of all SSL certificates observed. Here's an example:
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name subject not_valid_before not_valid_after validation_status
1313897881.475569 QUVGS5xx9ea 192.168.1.121 36804 199.59.148.87 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA api.twitter.com CN=api.twitter.com,OU=Twitter Platform,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US 1274158800.000000 1337317199.000000 ok
So there you have it! A fully functional Bro installation in just a few easy steps. In a future post, I will show you have to get Bro output into various output collection mechanism like syslog and databases.
