[Bro] Question on file hashes and cyrmu db
seth at icir.org
Fri Aug 15 08:44:59 PDT 2014
On Aug 14, 2014, at 9:26 PM, Dave DeChellis <dave at dechellis.com> wrote:
> I've run them against the DNS,Whois and web queries and had no luck. I work at a very open place and I find it almost impossible that not one of the 1.7M hashes match.
Most of those hashes are likely just web pages your user's are visiting so it think it's very possible that none of them would match.
I see that the pcap file Doug pointed you to isn't working for you either. It's very possible that you're using a DNS server that isn't very fast and Bro is finishing reading the tracefile before you get a DNS response which will cause you to not have a match. Try this...
bro -r netforensics_evidence05.pcap frameworks/files/detect-MHR exit_only_after_terminate=T
Wait for a few seconds and then hit ctrl-c and see if you get a notice. That "exit_only_after_terminate" bit I added at the end will ensure that Bro doesn't terminate as soon as it reaches the end of the tracefile, giving your DNS server a bit of time to respond.
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140815/fe9e6bc5/attachment.bin
More information about the Bro