[Bro] Bro + Yara File Scanning Module?

Seth Hall seth at icir.org
Fri Jul 25 11:45:04 PDT 2014

On Jul 25, 2014, at 1:42 PM, Jason Batchelor <jxbatchelor at gmail.com> wrote:

> Out of curiosity, were you working with Yara 2.0 when you were developing? It is several orders of magnitude faster than previous versions.

I was working on it during the lead up to the 2.0 code so my work was developed around the changes they made.

>  To your question, I would be interested in this effort but before diving in would like some time to familiarize myself more with Bro development. I will be at this years BroCon in pursuit of that goal and would welcome further collaboration toward this end :)

Once an incremental analysis api is added to Yara and Yara's match state and compiled rules are separated, the Bro module is really simple (and it's already been written somewhere...).

>  Ideally, what I would love to see is a way to take actions on alerts generated by some kind of 'Files::ANALYZER_YARA'. So say if I have a ZIP file for example and a Yara rule to detect a ZIP. I think it would be very valuable for someone to not only just trigger on that, but then invoke an event that decompresses the ZIP and feeds the contents through the same scanning engine. Now replace ZIP files with a known crypter/obfuscation or something else and you can perhaps start to see the power and possibilities that begin to unfold :)

It's a bit more complicated than that unfortunately. :)

Everything in Bro is organized around incremental analysis.  If you have a yara rule fire you can't go back and look at the old data, it's gone already.  You'd need to write Bro scripts that extract files temporarily and then possibly re-analyze them with new information.

> By implementing this modular 'take action on X' mentality with respect to Bro and Yara, my signatures get more milage,

I agree there, but there are some questions left lingering.  We aren't really sure if you'll be able to run large rule sets again all files and just how much help they will be.

> Imagine this, I have a signature for shellcode that decrypts a PE in a certain way always at a certain offset. My Yara rule hits on this signature and triggers an event that unmaskes the binary as well, out pops the dropper, that is scanned again, and hits on the signature I created for the dropper, etc, etc..

This is one of those areas where the file would need to be extracted and re-analyzed.

> Hope that helps paint the picture a little more :)

Yes!  I'm just excited that someone that doesn't primarily look at network traffic is playing with Bro, or at least looking into it. :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140725/4263098c/attachment.bin 

More information about the Bro mailing list