{"id":11281,"date":"2022-01-17T22:55:24","date_gmt":"2022-01-17T19:55:24","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11281"},"modified":"2024-03-14T19:13:06","modified_gmt":"2024-03-14T16:13:06","slug":"analyze-network-traffic-using-brim-security","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/analyze-network-traffic-using-brim-security\/","title":{"rendered":"Analyze Network Traffic Using Brim Security"},"content":{"rendered":"\n<p>In this tutorial, you will learn how you can analyze network traffic using <a href=\"https:\/\/www.brimdata.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Brim<\/a> security tool. Brim is an open source <strong>desktop application<\/strong> that can be used to analyze structured network traffic data like;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>packet captures, e.g created by&nbsp;<a href=\"https:\/\/www.wireshark.org\/\" target=\"_blank\" rel=\"noopener\">Wireshark<\/a><\/li>\n\n\n\n<li>structured logs, especially from the&nbsp;<a href=\"https:\/\/www.zeek.org\/\" target=\"_blank\" rel=\"noopener\">Zeek<\/a>&nbsp;network analysis framework.<\/li>\n<\/ul>\n\n\n\n<p>According to their page, <em>Brim is built from open source components, including<\/em>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><a href=\"https:\/\/github.com\/brimdata\/zed\" target=\"_blank\" rel=\"noreferrer noopener\">Zed<\/a>, a structured log query engine;<\/em><\/li>\n\n\n\n<li><em><a href=\"https:\/\/www.electronjs.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Electron<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/reactjs.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">React<\/a>&nbsp;for multi-platform UI;<\/em><\/li>\n\n\n\n<li><em><a href=\"https:\/\/www.zeek.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Zeek<\/a>, to generate network analysis data from packet capture files<\/em>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing Network Traffic Using Brim Security<\/h2>\n\n\n\n<p>In our previous tutorial, we discussed how to analyze Network traffic using Zeek.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/analyze-network-traffic-using-zeek\/\" target=\"_blank\" rel=\"noreferrer noopener\">Analyze Network Traffic using Zeek<\/a><\/p>\n\n\n\n<p>In the above tutorial, the analysis was done mostly using the <strong><code>zeek-cut<\/code><\/strong> command.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install  Brim Security on Ubuntu\/Debian Desktop<\/h3>\n\n\n\n<p>Download Brim Debian binary installer from the <a href=\"https:\/\/www.brimdata.io\/download\/\" target=\"_blank\" rel=\"noreferrer noopener\">download&#8217;s page<\/a>.<\/p>\n\n\n\n<p>You can download using wget. Be sure to change the version number.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/brimdata\/brim\/releases\/download\/v0.28.0\/Brim-0.28.0.deb<\/code><\/pre>\n\n\n\n<p>Once the download is complete, then run the command below to install Brim;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install .\/Brim-0.28.0.deb -y<\/code><\/pre>\n\n\n\n<p>On Debian 11 Bullseye, there are some dependencies that cannot be met.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>The following packages have unmet dependencies:\n brim : Depends: libappindicator3-1 but it is not installable\nE: Unable to correct problems, you have held broken packages.<\/code><\/pre>\n\n\n\n<p>To fix this, add the Debian 10 buster repos to Debian 11 system;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo 'deb http:\/\/ftp.de.debian.org\/debian buster main' &gt; \/etc\/apt\/sources.list.d\/buster.list<\/code><\/pre>\n\n\n\n<p>Update the repos and install Brim on Debian 11;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install .\/Brim-0.28.0.deb -y<\/code><\/pre>\n\n\n\n<p>Once the installation is done, remove the Debian 10 buster repos;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rm -rf \/etc\/apt\/sources.list.d\/buster.list<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Brim on CentOS\/Rocky Linux\/RHEL Based Desktop Systems<\/h3>\n\n\n\n<p>Similarly, download RPM binaries from the download&#8217;s page;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum localinstall https:\/\/github.com\/brimdata\/brim\/releases\/download\/v0.28.0\/Brim-0.28.0.rpm<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Brim Security<\/h3>\n\n\n\n<p>You can now launch Brim security from your system application menu;<\/p>\n\n\n\n<p>On Debian 11, for example;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1602\" height=\"647\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/launching-brim.png\" alt=\"run brim security\" class=\"wp-image-11300\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/launching-brim.png?v=1642448827 1602w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/launching-brim-768x310.png?v=1642448827 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/launching-brim-1536x620.png?v=1642448827 1536w\" sizes=\"(max-width: 1602px) 100vw, 1602px\" \/><\/figure>\n\n\n\n<p>When first launched, it opens the release notes tab. You can close the tab and this is how Brim desktop app looks like;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1249\" height=\"788\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/brim-desktop-app.png\" alt=\"Analyze Network Traffic Using Brim Security\" class=\"wp-image-11301\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/brim-desktop-app.png?v=1642448865 1249w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/brim-desktop-app-768x485.png?v=1642448865 768w\" sizes=\"(max-width: 1249px) 100vw, 1249px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Analyze Network Traffic with Brim Security<\/h3>\n\n\n\n<p>In order to learn how to use Brim Security, we will analyze the same PCAP file from the <a href=\"https:\/\/download.cyberdefenders.org\/BlueYard\/c04-MalwareTrafficAnalysis1.zip\" target=\"_blank\" rel=\"noreferrer noopener\">cyberdefenders.org<\/a> we <a href=\"https:\/\/kifarunix.com\/analyze-network-traffic-using-zeek\/#zeek-cut-analysis\" target=\"_blank\" rel=\"noreferrer noopener\">analyzed using zeek-cut<\/a> and try to answer the same questions.<\/p>\n\n\n\n<p>Thus, download and extract the PCAP file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/download.cyberdefenders.org\/BlueYard\/c04-MalwareTrafficAnalysis1.zip -P ~\/Downloads<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~\/Downloads\nunzip -P cyberdefenders.org c04-MalwareTrafficAnalysis1.zip<\/code><\/pre>\n\n\n\n<p>You should now have a PCAP file, <strong><code>mta1.pcap<\/code><\/strong>.<\/p>\n\n\n\n<p>To analyze this network traffic packet capture using Brim;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Import the PCAP file to Brim for analysis by either dragging the file to Brim or simply importing by uploading it.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1249\" height=\"788\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/files-import-upload.png\" alt=\"\" class=\"wp-image-11302\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/files-import-upload.png?v=1642448913 1249w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/files-import-upload-768x485.png?v=1642448913 768w\" sizes=\"(max-width: 1249px) 100vw, 1249px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Upon upload, Brim immediately begins to process the network traffic file using inbuild <strong>Zeek<\/strong> engines;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1250\" height=\"788\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/upload-n-process-pcap-file-brim.png\" alt=\"\" class=\"wp-image-11303\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/upload-n-process-pcap-file-brim.png?v=1642448949 1250w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/upload-n-process-pcap-file-brim-768x484.png?v=1642448949 768w\" sizes=\"(max-width: 1250px) 100vw, 1250px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It take just a few mins to process the PCAP file, depending on the size.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1248\" height=\"783\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/brim-processed-logs.png\" alt=\"\" class=\"wp-image-11304\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/brim-processed-logs.png?v=1642448985 1248w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/brim-processed-logs-768x482.png?v=1642448985 768w\" sizes=\"(max-width: 1248px) 100vw, 1248px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Well, from the events on dashboard, you can easily notice Zeek generated logs with the paths being <strong>dns<\/strong>, <strong>stats<\/strong>, <strong>conn<\/strong>, <strong>weird<\/strong>, <strong>capture_loss<\/strong> etc.<\/li>\n\n\n\n<li>You can also notice logs whose path are named as <strong>alert<\/strong>. These are logs generated using Brim&#8217;s Suricata engine rules.<\/li>\n\n\n\n<li>On the left pane, you can also see the various group queries such as DNS queries, File activity&#8230;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Network Traffic Overview Activity<\/h4>\n\n\n\n<p>On the left pane, click <strong>Overview Activity<\/strong> to see a number of occurrences of various network traffic connections.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1247\" height=\"626\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/network-activity-overview.png\" alt=\"\" class=\"wp-image-11305\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/network-activity-overview.png?v=1642449015 1247w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/network-activity-overview-768x386.png?v=1642449015 768w\" sizes=\"(max-width: 1247px) 100vw, 1247px\" \/><\/figure>\n\n\n\n<p>Now, let&#8217;s try to answer the questions related to Cyberdefenders.org PCAP file above.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1. What is the IP address of the Windows VM that gets infected?<\/h4>\n\n\n\n<p>As mentioned in our previous guide with Zeek, one of the ways in which we can use to find the infected machines it to identify which IPs\/hosts connections involves large number of packets or bytes, which in this case we can refer to them the&nbsp;<strong>top talkers<\/strong>.<\/p>\n\n\n\n<p>If you check the sample queries on the left pane, you can see a query named <strong>Connection Received Data<\/strong>.<\/p>\n\n\n\n<p>Click on the query and you should see such events. You can see that a single host is involved in so many external connections. You can also see number of bytes exchanged between the external host and the local lost.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1245\" height=\"716\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/infected-vIP.png\" alt=\"\" class=\"wp-image-11306\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/infected-vIP.png?v=1642449041 1245w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/infected-vIP-768x442.png?v=1642449041 768w\" sizes=\"(max-width: 1245px) 100vw, 1245px\" \/><\/figure>\n\n\n\n<p>Thus, it can be assumed that the host, <strong>172.16.165.165<\/strong> is the culprit.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">2. What is the host name of the Windows VM that gets infected?<\/h4>\n\n\n\n<p>It is possible to get the hostname associated with an IP address by checking DHCP, NetBIOS Name Service (NBNS), or SMB related traffic.<\/p>\n\n\n\n<p>From the Activity Overview, you can see types of traffic found on the PCAP file. Thus, analyze the DHCP related traffic to get the hostname of the infected virtual machine.<\/p>\n\n\n\n<p>On the search bar, enter the query;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>_path \"dhcp\" | cut client_addr, client_fqdn<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1243\" height=\"569\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/client-hostname.png\" alt=\"\" class=\"wp-image-11307\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/client-hostname.png?v=1642449098 1243w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/client-hostname-768x352.png?v=1642449098 768w\" sizes=\"(max-width: 1243px) 100vw, 1243px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">3. What is the MAC address of the infected VM?<\/h4>\n\n\n\n<p>DHCP server assigns systems IP addresses based on their mac addresses. Thus, the same information can be obtained from the DHCP traffic.<\/p>\n\n\n\n<p>Use the query below on Brim;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>_path \"dhcp\" | cut client_addr, client_fqdn, mac<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1243\" height=\"569\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/client-hostname-1.png\" alt=\"\" class=\"wp-image-11308\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/client-hostname-1.png?v=1642449123 1243w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/client-hostname-1-768x352.png?v=1642449123 768w\" sizes=\"(max-width: 1243px) 100vw, 1243px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">4. What is the IP address of the compromised web site?<\/h4>\n\n\n\n<p>If you analyze http logs, you realize that most of the requests to the site <strong><code>http:\/\/www.ciniholland.nl\/<\/code><\/strong> are referred to quite a number of sites. It looks like there are some links embedded on that site that takes user requests to other sites upon clicking.<\/p>\n\n\n\n<p>Brim Query;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>_path \"http\" | cut id.orig_h, id.resp_h, host, referrer | uniq<\/code><\/pre>\n\n\n\n<p>Hence, we can conclude that this is the compromised site whose IP address is <strong><code>82.150.140.30<\/code><\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1243\" height=\"515\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/compromised-site-IP.png\" alt=\"\" class=\"wp-image-11309\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/compromised-site-IP.png?v=1642449144 1243w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/01\/compromised-site-IP-768x318.png?v=1642449144 768w\" sizes=\"(max-width: 1243px) 100vw, 1243px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">5. What is the FQDN of the compromised website?<\/h4>\n\n\n\n<p>Answered above, <strong><code>www.ciniholland.nl<\/code><\/strong>.<\/p>\n\n\n\n<p>And there is more to this.<\/p>\n\n\n\n<p>However, that is just it for this tutorial. Feel free to share your thoughts in the comments section.<\/p>\n\n\n\n<p>Read more on Brim <a href=\"https:\/\/github.com\/brimdata\/brim\/wiki\" target=\"_blank\" rel=\"noreferrer noopener\">Wiki&#8217;s<\/a> page.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-enroll-elastic-agents-to-fleet-manager-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Enroll Elastic Agents to Fleet Manager in Linux<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/detect-changes-to-critical-files-in-linux-using-auditbeat-and-elk\/\" target=\"_blank\" rel=\"noreferrer noopener\">Detect Changes to Critical Files in Linux using Auditbeat and ELK<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how you can analyze network traffic using Brim security tool. Brim is an open source desktop application that can<\/p>\n","protected":false},"author":3,"featured_media":11301,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121],"tags":[4429,4431,4433,4435,4434,4430,4432],"class_list":["post-11281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","tag-analyze-network-traffic-using-brim","tag-analyze-pcap-file-using-zeek","tag-analyze-pcap-file-with-brim","tag-brim-and-zeek","tag-brim-security","tag-brim-security-setup","tag-zee","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11281"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11281"}],"version-history":[{"count":9,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11281\/revisions"}],"predecessor-version":[{"id":21316,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11281\/revisions\/21316"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11301"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}