[Bro] Question: How to block a malicious file

Johanna Amann johanna at icir.org
Mon Jun 6 12:25:49 PDT 2016


Hello Giorgio,

Since Bro works completely passively, and is not an in-line component, Bro
itself cannot block a file. By the time that Bro can calculate the file
hash, the whole file already will have been transferred to the client who
was downloading it. You can just do an after-the-fact reporting.

You could potentially use the NetControl framework (in master, will be
part of 2.5) to block future network connections of the hosts.

I hope this helps,
 Johanna

On Mon, Jun 06, 2016 at 05:29:48PM +0200, Giorgio Apuzzo wrote:
> Hi,
> I’m trying to write a script that after checking on virus total the hash of a file will block it if malicious.
> I run a ruby script that checks the hash against virus total and return 0 if not malicious and more if not.
> I have looked into the documentation but I can’t figure out how to block a file once I know it’s malicious..
> 
> Do I need an external tool?
> 
> Thanks
> 
> Giorgio Apuzzo
> giorgio.apuzzo at gmail.com
> 
> 
> 

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list