[Bro] BRO & Malware Hash Registry

Seth Hall hall.692 at osu.edu
Wed Mar 10 08:04:06 PST 2010

On Mar 10, 2010, at 5:29 AM, Ewald Beekman wrote:

> Sorry for bothering you, but ..
> did you get any further with the cleanup of the code?

I did. :)  On Monday I pushed my changes to my my github repository  
but I just haven't had time to send an email about the changes yet.   
There are a lot of changes.

* My version of http-identified-files is now named http-ext-identified- 
files to avoid conflicts with the built in http-identified-files script.
* http-ext-identified-files doesn't require libmagic anymore and file  
signatures are now defined in http-ext-identified-files.sig.
* Software-ext can detect and log adobe flash player versions (more  
detected software coming soon) if http-ext is loaded.
    - you also want to apply this patch if you load software-ext.. http://tracker.icir.org/bro/ticket/227
* Team Cymru MHR work is now done by http-hash.bro and the notice name  
has changed from HTTP_Malware to HTTP_MHR_Malware.  This could change  
again at some point, I can't figure out which I like better.
* Please don't run dns-ext.bro.  It *will* cause memory issues because  
it doesn't release state quickly enough.  I'm going to fix that  
problem as soon as I have time and motivation.

If you want to see configuration options for the scripts, look in the  
"export" section near the top.  I think I've documented each of the  
configuration options, but let me know if there are anymore options  
you'd like to have.  I'm going to be writing documentation for all of  
these scripts soon with more detail than just "look at the export  
section".  There are a lot of little tricks you can do to do further  
analysis that might not be readily apparent.

> I have used Bro for about two weeks now and it helps me
> detect malware infections very well

Great!  The new version of the scripts makes it much easier to define  
what types of files you'd like to collect hashes for and logs those in  
the normal tab separated output format that I use for all of my  
scripts (documented in http-hash).  Keep in mind that your Bro  
instance will slow down as you generate md5 sums for more file types.   
It could be worth testing the limits on your network though if you're  
interested in md5 sums for a few extra file types.

> Would it be an idea to check the hash against virustotal?

That's definitely a legitimate idea and it would be great if they  
offered a DNS interface similar to Team Cymru.  However, they don't so  
we can't do it right now.

> Perhaps a better idea for BRO/VT capabilities is to use an
> intermediate system which does the hash checking with VT and
> caches the results. Bro could than use simple http to check
> the hash against the intermediate system.

Matthias Vallentin has an idea for handling this sort of extended  
processing that can't currently be done (and possibly shouldn't be  
done) within Bro.  I'll let him introduce his thoughts relating to  
your idea if he wants.

> just my thoughts, free flowing ;)

Keep them coming. :)


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list