[Bro] MD5 Hashing
seth at icir.org
Tue Mar 13 13:10:12 PDT 2012
On Mar 13, 2012, at 3:54 PM, Mike Sconzo wrote:
> Will the changes in 2.1 allow for passing of data to an MD5 function?
> Or will it (the file analysis policy) use protocol knowledge + magic
> number to determine if it should be MD5'd or not?
That's only a cheat mechanism I put in place. You actually have a lot more flexibility than that if you write a bit of code. The HTTP::Info data structure is extended in the scripts/base/protocols/http/file-hash.bro script to get a field named "calc_md5". If you set that field to true (T) before the first chunk of data is seen Bro will calculate an MD5 sum for the transfer. If you handle the http_header event for example, you would just do your condition and then set the field to T. Here's a short and dumb example…
event http_header(c: connection, is_orig: bool, name: string, value: string)
if ( ! is_orig && name == "CONTENT-TYPE" && value == "IMAGE/JPG" )
c$http$calc_md5 = T;
This will make Bro calculate md5 sums for any HTTP transfer where the server sent jpg as the content type (this is not what would be matched with the generate_md5 variable as I mention below).
> I only ask because seeing an exe downloaded with a mime type of
> image/jpg is not completely uncommon.
Those mime types are sniffed (we ignore the content-type header). If it's a windows executable it will be detected as such.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro