[Bro] Bro --> Google Safe Browsing API?
john at giggled.org
Wed Mar 25 06:44:27 PDT 2015
On 25 March 2015 at 12:52, Doug Burks <doug.burks at gmail.com> wrote:
> Hello all,
> Has anybody developed a script to have Bro query the Google Safe Browsing
For bulk lookups you need to maintain a local copy of the chunks which are
basically black/white lists of hash prefixes of the canonicalised URL
(Bloom filter). This is the same data Chrome/Firefox use for safe browsing.
There is a reference implementation available which maintains a local
copy. Then your script just needs to hash the URL (or one of a number of
different permutations) and check the prefix if it is present in both
lists. If it is present in the blacklist then followup with a query to
Google for the full hash and compare.
I wrote some shoddy code a while ago against v2 of this spec to maintain a
local copy of the partial hashes within postgres.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro