[Bro] Bro script to detect XOR'd executables

Seth Hall seth at icir.org
Mon Dec 9 18:07:08 PST 2013

On Dec 9, 2013, at 7:40 PM, Daniel Beck <daniel at justbeck.com> wrote:

> - Is the file object in the file_new event guaranteed to have the beginning of the captured file? If not, is there a better location to hook the analysis into?

No, you aren't guaranteed that it's the beginning of the file.  You should be able to inspect the file record though to see if you have gotten the begging of the file although I'm blanking on how exactly you'd do that at the moment.

> - What's the performance impact of running a script like this on a large pipe? The script runs several (quasi) loops for each file_new event and I only have my home network to test it on.

Not sure, but likely to have a lot of overhead.  There is quite a bit of code there that runs for each file.  The best way to find out is to run it on a larger network though.

> - Following on the last question, Is there a better way to do bitwise operations in Bro scripts besides creating a huge lookup table?

Unfortunately not at the moment.  There have been a number of discussions where we've talked about adding bitwise operators to Bro but we've never come to any firm conclusion.

Anyway, overall it's a really neat script.  Nice job!


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131209/c65f2557/attachment.bin 

More information about the Bro mailing list