[Bro] MD5 Hashing
christopher.p.crawford at gmail.com
Tue Mar 13 12:24:05 PDT 2012
Sounds simple enough.
So, hypothetically, if I wanted SMTP to MD5 hash all mime types that
are image.* or application.*, I would add the lines below to my
redef SMTP::generate_md5 += /image.*/;
redef SMTP::generate_md5 += /application.*/;
I'm assuming that the += operator appends new regular expressions. Is
On Tue, Mar 13, 2012 at 2:55 PM, Seth Hall <seth at icir.org> wrote:
> On Mar 13, 2012, at 2:22 PM, Chris Crawford wrote:
>> What is the correct way to turn on MD5 hashing in SMTP and HTTP logs?
>> Which variables do I need to set in my share/bro/site/local.bro ?
> # Windows executables are hashed by default (it's a regex matching the mime type of the file)
> redef HTTP::generate_md5 += /image.*/;
> redef SMTP::generate_md5 += /image.*/;
> Those were pulled from these pages in our docs…
> This is being seriously reworked for 2.1 right now too. There is going to be a file analysis policy where you will be able to be declare more easily with much better granularity when you'd like to do certain analyses.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
More information about the Bro