[Bro] IOCs data for hashes.

fatema bannatwala fatema.bannatwala at gmail.com
Mon Aug 29 11:00:47 PDT 2016

Hi Chris,

Thank you for the suggestions.
The detect-MHR.bro script is already enabled in the local.bro file, but I
don't get any
logging in notice.log file corresponding to Malware hash registry.

I looked at the script and the notice_threshold is set to 10 (10% min
detection rate) which is reasonable,
but as I was analyzing a malware hash, detected by other IDS device and
when checked on team cymru's lookup: https://hash.cymru.com had 26% as
detection rate, realized that there were no logs in
files.log and notice.log files corresponding to that hash.
Bro didn't log any hash for the file transfer that transpired.
1472425280.047247       Fs9rse1xsQgD2TIADa   x.x.x.x
   CJFssC2o2RqHx6PJY8      HTTP    0       MD5,PE,SHA1
application/x-dosexec   -       11.101799       F       F       2122412
20265152      18142740 0

Also, when I checked, the Content-type reported by the IDS device
was: application/x-www-form-urlencoded and guessing that maybe files with
this mime-type are not hashed by bro probably.
I don't know why I am not able to find the corresponding hash in bro logs.


On Mon, Aug 29, 2016 at 10:42 AM, Chris Walsh <chris at cwalsh.org> wrote:

> Have you looked at https://www.bro.org/sphinx/scripts/policy/frameworks/
> files/detect-MHR.bro.html ?
> If I am understanding your goal, this seems to be a good fit for what
> you’re trying to do.
> Chris
> On Aug 29, 2016, at 8:30 AM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> Hi,
> I am working with BRO, trying to add the capability of malware detection
> using Bro.
> I am already using the intel framework provided by Bro and feeding IOC
> data into it.
> It successfully detects and logs the connection having bad IPs and domains
> in intel.log file.
> The functionality I would like to add is to detect any malware downloaded
> by any of the endpoints, and for that I need some good IOC data of hashes.
> I searched the internet for IOCs hashes but couldn't fine any good source
> for it.
> Does anyone have any pointers in the same direction? or any other magic
> that can be used to accomplish the same purpose?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160829/12bdd928/attachment-0001.html 

More information about the Bro mailing list