[Bro] Question on file hashes and cyrmu db

Seth Hall seth at icir.org
Fri Aug 15 08:44:59 PDT 2014

On Aug 14, 2014, at 9:26 PM, Dave DeChellis <dave at dechellis.com> wrote:

> I've run them against the DNS,Whois and web queries and had no luck.  I work at a very open place and I find it almost impossible that not one of the 1.7M hashes match.

Most of those hashes are likely just web pages your user's are visiting so it think it's very possible that none of them would match.

I see that the pcap file Doug pointed you to isn't working for you either.  It's very possible that you're using a DNS server that isn't very fast and Bro is finishing reading the tracefile before you get a DNS response which will cause you to not have a match.  Try this...

bro -r netforensics_evidence05.pcap frameworks/files/detect-MHR exit_only_after_terminate=T

Wait for a few seconds and then hit ctrl-c and see if you get a notice.  That "exit_only_after_terminate" bit I added at the end will ensure that Bro doesn't terminate as soon as it reaches the end of the tracefile, giving your DNS server a bit of time to respond.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140815/fe9e6bc5/attachment.bin 

More information about the Bro mailing list