[Bro] Bro --> Google Safe Browsing API?

John Green john at giggled.org
Wed Mar 25 06:44:27 PDT 2015

On 25 March 2015 at 12:52, Doug Burks <doug.burks at gmail.com> wrote:

> Hello all,
> Has anybody developed a script to have Bro query the Google Safe Browsing
> API?

For bulk lookups you need to maintain a local copy of the chunks which are
basically black/white lists of hash prefixes of the canonicalised URL
(Bloom filter).  This is the same data Chrome/Firefox use for safe browsing.

There is a reference implementation available which maintains a local
copy.  Then your script just needs to hash the URL (or one of a number of
different permutations) and check the prefix if it is present in both
lists.  If it is present in the blacklist then followup with a query to
Google for the full hash and compare.

I wrote some shoddy code a while ago against v2 of this spec to maintain a
local copy of the partial hashes within postgres.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150325/d90ee03c/attachment.html 

More information about the Bro mailing list