[Bro] Bro script to detect XOR'd executables
daniel at justbeck.com
Mon Dec 9 16:40:15 PST 2013
I've been working on my first real bro script and I had a couple questions.
It uses the File API to detect the transfer of XOR'd Windows executables,
the code is at https://github.com/justbeck/bro-xorpe.
My questions are:
- Is the file object in the file_new event guaranteed to have the beginning
of the captured file? If not, is there a better location to hook the
- What's the performance impact of running a script like this on a large
pipe? The script runs several (quasi) loops for each file_new event and I
only have my home network to test it on.
- Following on the last question, Is there a better way to do bitwise
operations in Bro scripts besides creating a huge lookup table?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro