[Bro] BRO & Malware Hash Registry

Ewald Beekman E.H.Beekman at amc.nl
Wed Mar 10 02:29:53 PST 2010

Hi Seth,

Sorry for bothering you, but ..
did you get any further with the cleanup of the code?

I have used Bro for about two weeks now and it helps me
detect malware infections very well (i check for suspicious
downloads and redownload them myself). Allthough i really
would like the automation to check agains the MHR, my personal
findings indicate that the hashes are commonly not know.
Would it be an idea to check the hash against virustotal?
don't know if the scripting language of Bro is even capable of
doing that. I wrote a perl script to do it from the commandline
but it uses WWW::Mechanize.

Perhaps a better idea for BRO/VT capabilities is to use an
intermediate system which does the hash checking with VT and
caches the results. Bro could than use simple http to check
the hash against the intermediate system.

just my thoughts, free flowing ;)

thanks in advance,

Ewald Beekman...

On Mon, Mar 01, 2010 at 09:52:18AM -0500, Seth Hall wrote:
> On Mar 1, 2010, at 9:34 AM, Ewald Beekman wrote:
>> I would like to run Bro 1.5.1. with lookups to the MHR,
>> since the 1.5 code allready contains the MD5 functions (?),
>> i assumed i only needed the:
> Sorry about that.  The situation with that script has kind of been a  
> mess for a while.  Recently I spent some time reworking it and  
> integrating it into the rest of my scripts better.  I'll finish that up 
> today and update the repository.  It will be much easier to run the  
> script once I update it.  The logging will be a lot better too.
> I'll send an email when I make the update.
>   .Seth
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721

Ewald Beekman, CISSP. Academic Medical Center (AMC), NL

More information about the Bro mailing list