[Bro] MD5 Hashing

Seth Hall seth at icir.org
Tue Mar 13 13:10:12 PDT 2012

On Mar 13, 2012, at 3:54 PM, Mike Sconzo wrote:

> Will the changes in 2.1 allow for passing of data to an MD5 function?
> Or will it (the file analysis policy) use protocol knowledge + magic
> number to determine if it should be MD5'd or not?

That's only a cheat mechanism I put in place.  You actually have a lot more flexibility than that if you write a bit of code.  The HTTP::Info data structure is extended in the scripts/base/protocols/http/file-hash.bro script to get a field named "calc_md5".  If you set that field to true (T) before the first chunk of data is seen Bro will calculate an MD5 sum for the transfer.  If you handle the http_header event for example, you would just do your condition and then set the field to T.  Here's a short and dumb example…

event http_header(c: connection, is_orig: bool, name: string, value: string)
	if ( ! is_orig && name == "CONTENT-TYPE" && value == "IMAGE/JPG" )
		c$http$calc_md5 = T;

This will make Bro calculate md5 sums for any HTTP transfer where the server sent jpg as the content type (this is not what would be matched with the generate_md5 variable as I mention below).

> I only ask because seeing an exe downloaded with a mime type of
> image/jpg is not completely uncommon.

Those mime types are sniffed (we ignore the content-type header).  If it's a windows executable it will be detected as such.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list