[Bro] Bro script to detect XOR'd executables

Daniel Beck daniel at justbeck.com
Mon Dec 9 16:40:15 PST 2013


Hello list,

I've been working on my first real bro script and I had a couple questions.
It uses the File API to detect the transfer of XOR'd Windows executables,
the code is at https://github.com/justbeck/bro-xorpe.

My questions are:

- Is the file object in the file_new event guaranteed to have the beginning
of the captured file? If not, is there a better location to hook the
analysis into?

- What's the performance impact of running a script like this on a large
pipe? The script runs several (quasi) loops for each file_new event and I
only have my home network to test it on.

- Following on the last question, Is there a better way to do bitwise
operations in Bro scripts besides creating a huge lookup table?

Thanks,

Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131209/84bf7ffe/attachment.html 


More information about the Bro mailing list