[Bro] Quick question
init.conf at gmail.com
Fri Mar 22 13:47:54 PDT 2013
( A notice for binaries on the network is a subjective decision but I think it was not as bad an idea Seth. )
I think back in the day when md5 sum calculation was new feature in bro, this notice merely tells you the fact that binaries (and other mime types of choice) traversing through the network and here is its md5
We found this useful in notice log was for post processing because:
1) Searches were much faster in notice log for known bad md5 compared to http.log due to smaller size of notice logs.
2) Also this provided an easy search string HTTP::MD5 (or SMTP:MD5) to grep on (just a preference)
2) Post processing for HTTP::MD5 allowed us to make a white list of known binaries that we serve from our network and flag if there is a new binary being hosted by us. This was useful to find things like accidental shares open (eg. C:/ is word readable ) or if bad guys are using a webserver to host malware.
Off course, now with input framework we can feed bad md5s into bro realtime etc, but still post-processing of some nature in useful and needed.
On Mar 22, 2013, at 12:56 PM, Seth Hall <seth at icir.org> wrote:
> On Mar 22, 2013, at 3:33 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>> 18.104.22.168 80 tcp HTTP::MD5 x.x.x.x
>> What's this telling me? Usually there's something like Invalid Cert or
>> something like that in the notice.log to tell me why it hit, just wasn't
>> seeing the reason here. Thank you.
> I *hate* that notice and it will be going away in the 2.2 release. The notice type is HTTP::MD5 in that line. It's a hold over from how I implemented file hashing originally back in 2007 or so. It should never have made it into a Bro release (let alone two!).
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro