[Bro] BRO & Malware Hash Registry
vallentin at ICSI.Berkeley.EDU
Wed Mar 10 11:22:18 PST 2010
> > Perhaps a better idea for BRO/VT capabilities is to use an
> > intermediate system which does the hash checking with VT and
> > caches the results. Bro could than use simple http to check
> > the hash against the intermediate system.
> Matthias Vallentin has an idea for handling this sort of extended
> processing that can't currently be done (and possibly shouldn't be
> done) within Bro. I'll let him introduce his thoughts relating to
> your idea if he wants.
It is already possible to process Bro events from a scripting language
(Ruby and Python currently) to perform time-intensive tasks separately,
without having to worry about real-time constraints. My idea is to push
this notion a little further by writing a framework that allows you to
(i) manage intelligence sources in a unified fashion, e.g.,
(ii) generate/update both scripts and state remotely via broctl and
the event-based Broccoli channel
(iii) write high-level plug-ins (such as for Tor traffic, PDF
analysis, or CWSandbox malware execution) that offer a
consistent and interface to Bro using primitives from (ii)
Seth brought point (i) to my attention, so I throw the ball back to him
for details :-)
Unfortunately, I am currently lacking the cycles to work on this idea.
But as soon as any of this is usable, you'll hear about it.
vallentin at icir.org
More information about the Bro