[Bro] BRO & Malware Hash Registry
hall.692 at osu.edu
Wed Mar 10 08:04:06 PST 2010
On Mar 10, 2010, at 5:29 AM, Ewald Beekman wrote:
> Sorry for bothering you, but ..
> did you get any further with the cleanup of the code?
I did. :) On Monday I pushed my changes to my my github repository
but I just haven't had time to send an email about the changes yet.
There are a lot of changes.
* My version of http-identified-files is now named http-ext-identified-
files to avoid conflicts with the built in http-identified-files script.
* http-ext-identified-files doesn't require libmagic anymore and file
signatures are now defined in http-ext-identified-files.sig.
* Software-ext can detect and log adobe flash player versions (more
detected software coming soon) if http-ext is loaded.
- you also want to apply this patch if you load software-ext.. http://tracker.icir.org/bro/ticket/227
* Team Cymru MHR work is now done by http-hash.bro and the notice name
has changed from HTTP_Malware to HTTP_MHR_Malware. This could change
again at some point, I can't figure out which I like better.
* Please don't run dns-ext.bro. It *will* cause memory issues because
it doesn't release state quickly enough. I'm going to fix that
problem as soon as I have time and motivation.
If you want to see configuration options for the scripts, look in the
"export" section near the top. I think I've documented each of the
configuration options, but let me know if there are anymore options
you'd like to have. I'm going to be writing documentation for all of
these scripts soon with more detail than just "look at the export
section". There are a lot of little tricks you can do to do further
analysis that might not be readily apparent.
> I have used Bro for about two weeks now and it helps me
> detect malware infections very well
Great! The new version of the scripts makes it much easier to define
what types of files you'd like to collect hashes for and logs those in
the normal tab separated output format that I use for all of my
scripts (documented in http-hash). Keep in mind that your Bro
instance will slow down as you generate md5 sums for more file types.
It could be worth testing the limits on your network though if you're
interested in md5 sums for a few extra file types.
> Would it be an idea to check the hash against virustotal?
That's definitely a legitimate idea and it would be great if they
offered a DNS interface similar to Team Cymru. However, they don't so
we can't do it right now.
> Perhaps a better idea for BRO/VT capabilities is to use an
> intermediate system which does the hash checking with VT and
> caches the results. Bro could than use simple http to check
> the hash against the intermediate system.
Matthias Vallentin has an idea for handling this sort of extended
processing that can't currently be done (and possibly shouldn't be
done) within Bro. I'll let him introduce his thoughts relating to
your idea if he wants.
> just my thoughts, free flowing ;)
Keep them coming. :)
Network Security - Office of the CIO
The Ohio State University
More information about the Bro