TI: DCE-RPC log generation with Bro

TI: DCE-RPC log generation with Bro

Network detection, network protocols, C++, binpac, Bro, SMB, DCE/RPC

Keywords:

  • Network detection, network protocols, C++, binpac, Bro, SMB, DCE/RPC
  • duration: 5-10 months
  • Context: HBO

Context:

The network security monitoring framework Bro (http://www.bro.org) is a great tool for providing information during incident response and network monitoring. Its extensive SMB support makes it a great tool in investigations where lateral movement is involved. To enhance the visibility of network traffic, it would be beneficial to extend Bro by adding protocol parsers for certain (or all) DCE/RPC protocols which are often run on top of SMB.

Activities:

This project can have one or two phases depending on time and experience.

Phase one:

  • investigate which DCE/RPC protocols are relevant to log from a security standpoint
  • extend Bro with a protocol parser for at least one DCE/RPC protocol in binpac

Phase two:

  • using the experience gained in phase one, find a way to generically create binpac parsers for other DCE/RPC protocols.

Requirements

The ideal candidate would have experience in the following:

  • network protocol analysis tools like Wireshark and Bro
  • C++, Python, Perl
  • SMB and DCE/RPC protocols

Interested?!

Please share your CV and motivation with us (vacature[at]fox-it.com). In case of questions please send us an email (vacature[at]fox-it.com).

Neem contact op

+31 (0) 15 284 79 99

fox@fox-it.com

Delft