[Bro] IOCs data for hashes.
fatema.bannatwala at gmail.com
Tue Aug 30 10:46:35 PDT 2016
Thanks Justin for the answer.
Yeah, we realized that we were having some capture loss with our BRO
sensors, it's fixed now.
On Mon, Aug 29, 2016 at 2:13 PM, Azoff, Justin S <jazoff at illinois.edu>
> > On Aug 29, 2016, at 2:00 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> > Hi Chris,
> > Thank you for the suggestions.
> > The detect-MHR.bro script is already enabled in the local.bro file, but
> I don't get any
> > logging in notice.log file corresponding to Malware hash registry.
> > I looked at the script and the notice_threshold is set to 10 (10% min
> detection rate) which is reasonable,
> > but as I was analyzing a malware hash, detected by other IDS device and
> when checked on team cymru's lookup: https://hash.cymru.com had 26% as
> detection rate, realized that there were no logs in
> > files.log and notice.log files corresponding to that hash.
> > Bro didn't log any hash for the file transfer that transpired.
> > 1472425280.047247 Fs9rse1xsQgD2TIADa 22.214.171.124
> x.x.x.x CJFssC2o2RqHx6PJY8 HTTP 0 MD5,PE,SHA1
> application/x-dosexec - 11.101799 F F 2122412
> 20265152 18142740 0
> Those last 3 numbers are
> seen_bytes = 2122412
> total_bytes = 20265152
> missing_bytes = 18142740
> Bro did not see 90% of the bytes of the file, it can't hash what it didn't
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro