[Bro] Using Bro's file extraction script

Mike Sconzo sconzo at visiblerisk.com
Tue Sep 2 14:00:01 PDT 2014


You can pretty much do whatever you'd like w/the extraction stuff.

Here's something I wrote that uses curl to check the virustotal API
https://github.com/sooshie/bro-scripts/blob/master/2.2-scripts/vt_check.bro
There's no reason you can't reference the extracted file and curl it
elsewhere.

We actually did something similar, we just wrote an external script to call
(instead of just curl) to keep track of hashes and then do the submit,
etc... it works nicely. The biggest challenge was getting something to keep
track of the hashes to check for duplicates.

-=Mike


On Tue, Sep 2, 2014 at 3:41 PM, Hille, Samson <SHille at heartland.com> wrote:

>  Hello!
>
>
>
> I am using Bro in Doug Burke’s Security Onion Suite.
>
> I was wondering if there is a way to have the Bro script that extracts
> executables to also send the executables to my firewall’s API?
>
> Example of the API command that might be included into the Bro script:
>
> curl -i -k -vv -F apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -F
> file=@/nsm/bro/extracted/HTTP-FEQ4PS1wXd5LAgG3I4.exe
> https://examplefirewallapi.com
>
>
>
> Taking this one step further:
>
> Make the script verify the executables’ file hashes before sending them
> into the API (to prevent checking the exact same exe twice).
>
>
>
> Any feedback would be greatly appreciated!
>
>
>
> *Samson Hille*
>
> IT Security Analyst
>
>
>
> ------------------------------
>
> Privacy Notice: This electronic mail message, and any attachments, are
> confidential and are intended for
> the exclusive use of the addressee(s) and may contain information that is
> proprietary and that may be
> Individually Identifiable or Protected Health Information under HIPAA. If
> you are not the intended
> recipient, please immediately contact the sender by telephone, or by
> email, and destroy all copies of this
> message. If you are a regular recipient of our electronic mail, please
> notify us promptly if you change
> your email address.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
cat ~/.bash_history > documentation.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140902/8278037a/attachment.html 


More information about the Bro mailing list