[Bro] Bro + Yara File Scanning Module?

anthony kasza anthony.kasza at gmail.com
Fri Jul 25 12:08:16 PDT 2014


It probably isn't what you're looking for, but I tried making something
similar to Yara a little while back. It is a hack on top of the Intel
framework.

https://github.com/anthonykasza/scratch_pad/tree/master/rules
 On Jul 25, 2014 11:48 AM, "Seth Hall" <seth at icir.org> wrote:

>
> On Jul 25, 2014, at 1:42 PM, Jason Batchelor <jxbatchelor at gmail.com>
> wrote:
>
> > Out of curiosity, were you working with Yara 2.0 when you were
> developing? It is several orders of magnitude faster than previous versions.
>
> I was working on it during the lead up to the 2.0 code so my work was
> developed around the changes they made.
>
> >  To your question, I would be interested in this effort but before
> diving in would like some time to familiarize myself more with Bro
> development. I will be at this years BroCon in pursuit of that goal and
> would welcome further collaboration toward this end :)
>
> Once an incremental analysis api is added to Yara and Yara's match state
> and compiled rules are separated, the Bro module is really simple (and it's
> already been written somewhere...).
>
> >  Ideally, what I would love to see is a way to take actions on alerts
> generated by some kind of 'Files::ANALYZER_YARA'. So say if I have a ZIP
> file for example and a Yara rule to detect a ZIP. I think it would be very
> valuable for someone to not only just trigger on that, but then invoke an
> event that decompresses the ZIP and feeds the contents through the same
> scanning engine. Now replace ZIP files with a known crypter/obfuscation or
> something else and you can perhaps start to see the power and possibilities
> that begin to unfold :)
>
> It's a bit more complicated than that unfortunately. :)
>
> Everything in Bro is organized around incremental analysis.  If you have a
> yara rule fire you can't go back and look at the old data, it's gone
> already.  You'd need to write Bro scripts that extract files temporarily
> and then possibly re-analyze them with new information.
>
> > By implementing this modular 'take action on X' mentality with respect
> to Bro and Yara, my signatures get more milage,
>
> I agree there, but there are some questions left lingering.  We aren't
> really sure if you'll be able to run large rule sets again all files and
> just how much help they will be.
>
> > Imagine this, I have a signature for shellcode that decrypts a PE in a
> certain way always at a certain offset. My Yara rule hits on this signature
> and triggers an event that unmaskes the binary as well, out pops the
> dropper, that is scanned again, and hits on the signature I created for the
> dropper, etc, etc..
>
> This is one of those areas where the file would need to be extracted and
> re-analyzed.
>
> > Hope that helps paint the picture a little more :)
>
> Yes!  I'm just excited that someone that doesn't primarily look at network
> traffic is playing with Bro, or at least looking into it. :)
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140725/236b3bf4/attachment.html 


More information about the Bro mailing list