[Bro] Bro + Yara File Scanning Module?

Lankau, John John_Lankau at sra.com
Fri Jul 25 07:20:01 PDT 2014


I would be curious to hear more about this as well. I don’t know if it already exists, but we are considering a functionality here very similar to what you’ve described.  We were considering moving the extracted files to another system for Yara scanning, but integrating it within Bro might be a more efficient process.


From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Jason Batchelor
Sent: Friday, July 25, 2014 10:04 AM
To: bro at bro.org
Subject: [Bro] Bro + Yara File Scanning Module?

Hello all:

I wanted to poke the hive mind to see if anyone has considered, or is actively pursuing integrating Yara into a Bro script?

An idea for a script I would like to write is to simply take any file from a 'file_new' event. Then add something like Files::ANALYZER_YARA that would do the heavy lifting and take a user defined path to a master Yara file, scan the file, append the results to either files.log or notice.log, and finally, extract any file that hit on a signature (for further analysis).

Interested if this is something that has been considered previously? If so, what were the results? If not, I'm happy to spin off an effort of my own. Either way I see it as a good project to get into Bro scripting at a deeper level.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140725/03157611/attachment.html 

More information about the Bro mailing list