[Bro] Question on file hashes and cyrmu db

Dave DeChellis dave at dechellis.com
Thu Aug 14 18:26:22 PDT 2014


I'm helping to customize an existing deployment of Bro and while I think I'm
collecting all the file info correctly, I'm not hitting any matches when I run
the hashes against cymru's database.   I was wondering if someone could confirm
that none of these hashes match either.   I've run them against the DNS,Whois
and web queries and had no luck.  I work at a very open place and I find it
almost impossible that not one of the 1.7M hashes match.   In the event there
are no matches, could someone point me to some sample pcap files so I can test
my scripts?

If someone wanted to help cross correlate my findings, I could send offline a
.gz of 1.7M hashes from a few hours of collection.

Thanks again for any help or assistance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140814/130136a8/attachment.html 

More information about the Bro mailing list