[Bro] BRO & Malware Hash Registry

Matthias Vallentin vallentin at ICSI.Berkeley.EDU
Wed Mar 10 11:22:18 PST 2010

> > Perhaps a better idea for BRO/VT capabilities is to use an
> > intermediate system which does the hash checking with VT and
> > caches the results. Bro could than use simple http to check
> > the hash against the intermediate system.
> Matthias Vallentin has an idea for handling this sort of extended  
> processing that can't currently be done (and possibly shouldn't be  
> done) within Bro.  I'll let him introduce his thoughts relating to  
> your idea if he wants.

It is already possible to process Bro events from a scripting language
(Ruby and Python currently) to perform time-intensive tasks separately,
without having to worry about real-time constraints. My idea is to push
this notion a little further by writing a framework that allows you to 

      (i) manage intelligence sources in a unified fashion, e.g.,
          blacklist integration
     (ii) generate/update both scripts and state remotely via broctl and
          the event-based Broccoli channel
    (iii) write high-level plug-ins (such as for Tor traffic, PDF
          analysis, or CWSandbox malware execution) that offer a
          consistent and interface to Bro using primitives from (ii) 

Seth brought point (i) to my attention, so I throw the ball back to him
for details :-)

Unfortunately, I am currently lacking the cycles to work on this idea.
But as soon as any of this is usable, you'll hear about it.

Matthias Vallentin
vallentin at icir.org

More information about the Bro mailing list