[Bro] Using Bro's file extraction script

Hille, Samson SHille at heartland.com
Tue Sep 2 13:41:59 PDT 2014


I am using Bro in Doug Burke’s Security Onion Suite.
I was wondering if there is a way to have the Bro script that extracts executables to also send the executables to my firewall’s API?
Example of the API command that might be included into the Bro script:
curl -i -k -vv -F apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -F file=@/nsm/bro/extracted/HTTP-FEQ4PS1wXd5LAgG3I4.exe<mailto:file=@/nsm/bro/extracted/HTTP-FEQ4PS1wXd5LAgG3I4.exe> https://examplefirewallapi.com

Taking this one step further:
Make the script verify the executables’ file hashes before sending them into the API (to prevent checking the exact same exe twice).

Any feedback would be greatly appreciated!

Samson Hille
IT Security Analyst


Privacy Notice: This electronic mail message, and any attachments, are confidential and are intended for
the exclusive use of the addressee(s) and may contain information that is proprietary and that may be
Individually Identifiable or Protected Health Information under HIPAA. If you are not the intended
recipient, please immediately contact the sender by telephone, or by email, and destroy all copies of this
message. If you are a regular recipient of our electronic mail, please notify us promptly if you change
your email address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140902/58ff03cf/attachment.html 

More information about the Bro mailing list