[Bro] Question: How to block a malicious file
johanna at icir.org
Mon Jun 6 12:25:49 PDT 2016
Since Bro works completely passively, and is not an in-line component, Bro
itself cannot block a file. By the time that Bro can calculate the file
hash, the whole file already will have been transferred to the client who
was downloading it. You can just do an after-the-fact reporting.
You could potentially use the NetControl framework (in master, will be
part of 2.5) to block future network connections of the hosts.
I hope this helps,
On Mon, Jun 06, 2016 at 05:29:48PM +0200, Giorgio Apuzzo wrote:
> I’m trying to write a script that after checking on virus total the hash of a file will block it if malicious.
> I run a ruby script that checks the hash against virus total and return 0 if not malicious and more if not.
> I have looked into the documentation but I can’t figure out how to block a file once I know it’s malicious..
> Do I need an external tool?
> Giorgio Apuzzo
> giorgio.apuzzo at gmail.com
> Bro mailing list
> bro at bro-ids.org
More information about the Bro