Detecting Encryption

Hi all,

I am relatively new to Bro and was wondering if Bro has any way of
detecting encryption and/or plain text in the dpd module or anywhere els
e.

I have several use cases.

1. I wish to determine whether a program that has an auto-update feature
is sending the updates using encryption.

2. I wish to determine if a chat application is sending data encrypted.

I had a suggestion from my advisor that I should compress the data
being sent over the wire to see if it is compressible or not and use
that in determining whether a stream is using encryption or not.

Any suggestions or advice on this problem would be greatly appreciated.

Regards,
Ben Mixon-Baca

Check out ssl.log and x509.log.

James

Bro has functions to measure entropy, see
https://www.bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html#id-find_entropy.

Robin

That is amazing! Would I need to make additions in a script of mine in
order to differentiate between encryption and compression?

I had a suggestion from my advisor that I should compress the
data being sent over the wire to see if it is compressible or not
and use that in determining whether a stream is using encryption
or not.

Bro has functions to measure entropy, see
https://www.bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html#id-fi

nd_entropy.

Unfortunately we still haven’t added file and connection entropy analyzers yet. I have a file entropy analyzer floating around somewhere, but generally both of those are extremely easy to write. I think that Ben would need those to do what he’s trying to do.

  .Seth

Seth, was the link provided not a file entropy analyzer?

Bro has functions to measure entropy, see
https://www.bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html#id-f

ind_entropy.

No, those are built-in-functions (BiFs) to calculate entropy on strings that are available in Bro’s scripting language.

  .Seth

OK thanks. So I would write my own broscripts to do connection and
file entropy analysis then right?

These wouldn’t be written as scripts. Connection and file analyzers needs to be written as plugins or in the core. They are typically implemented in C++ or BinPAC.

  .Seth