[Bro] MD5 Hashing

Chris Crawford christopher.p.crawford at gmail.com
Tue Mar 13 12:24:05 PDT 2012


Sounds simple enough.

So, hypothetically, if I wanted SMTP to MD5 hash all mime types that
are image.* or application.*, I would add the lines below to my
local.bro?

redef SMTP::generate_md5 += /image.*/;
redef SMTP::generate_md5 += /application.*/;

I'm assuming that the += operator appends new regular expressions.  Is
that correct?

-Chris

On Tue, Mar 13, 2012 at 2:55 PM, Seth Hall <seth at icir.org> wrote:
>
> On Mar 13, 2012, at 2:22 PM, Chris Crawford wrote:
>
>> What is the correct way to turn on MD5 hashing in SMTP and HTTP logs?
>> Which variables do I need to set in my share/bro/site/local.bro ?
>
>
> # Windows executables are hashed by default (it's a regex matching the mime type of the file)
> redef HTTP::generate_md5 += /image.*/;
> redef SMTP::generate_md5 += /image.*/;
>
> Those were pulled from these pages in our docs…
> http://www.bro-ids.org/documentation/scripts/base/protocols/http/file-hash.html#id-HTTP::generate_md5
> http://www.bro-ids.org/documentation/scripts/base/protocols/smtp/entities.html#id-SMTP::generate_md5
>
> This is being seriously reworked for 2.1 right now too.  There is going to be a file analysis policy where you will be able to be declare more easily with much better granularity when you'd like to do certain analyses.
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>




More information about the Bro mailing list