[Bro] Bro Digest, Vol 122, Issue 6

fatema bannatwala fatema.bannatwala at gmail.com
Mon Jun 6 12:29:11 PDT 2016

Hi Giorgio,

As I recall, BRO only provides tap mode so far, haven't heard of using BRO
in inline mode, or I might be wrong.
So BRO really can't block anything in your traffic, you need to use
external scripts to perform the trick for you.
One of the possible solutions, as far as I can think on top of my head, is
to block the source IP from which file is being transferred,
because I think once BRO logs the file details in log file, the transfer
have already happened, so I think you can't block the file transfer in the
transit. Or there might be ways which I might not be familiar with.
Can you share your script?


On Mon, Jun 6, 2016 at 3:00 PM, <bro-request at bro.org> wrote:

> Send Bro mailing list submissions to
>         bro at bro.org
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>         bro-request at bro.org
> You can reach the person managing the list at
>         bro-owner at bro.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
> Today's Topics:
>    1. Question: How to block a malicious file (Giorgio Apuzzo)
> ----------------------------------------------------------------------
> Message: 1
> Date: Mon, 6 Jun 2016 17:29:48 +0200
> From: Giorgio Apuzzo <giorgio.apuzzo at gmail.com>
> Subject: [Bro] Question: How to block a malicious file
> To: bro at bro.org
> Message-ID: <1E582584-C84F-4E47-A032-BA640C922927 at gmail.com>
> Content-Type: text/plain; charset="utf-8"
> Hi,
> I?m trying to write a script that after checking on virus total the hash
> of a file will block it if malicious.
> I run a ruby script that checks the hash against virus total and return 0
> if not malicious and more if not.
> I have looked into the documentation but I can?t figure out how to block a
> file once I know it?s malicious..
> Do I need an external tool?
> Thanks
> Giorgio Apuzzo
> giorgio.apuzzo at gmail.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160606/66a81e58/attachment-0001.html
> ------------------------------
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> End of Bro Digest, Vol 122, Issue 6
> ***********************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160606/6889fa7a/attachment.html 

More information about the Bro mailing list