[Bro] [bro] extracting and submitting files - malware analysis

clautos sebclaut at gmail.com
Thu Sep 1 00:44:06 PDT 2016


Hello,

I've just installed a security onion (the last release in date) for testing
purposes and I'm trying to extract files plus scan them with virustotal or
any other engine in an automated way.
I've seen the script detect-MHR.bro that seems appropriate for that.

I've downloaded a pcap containing some adult websites samples including
malware executables downloaded by the client.
I've ran the command bro -r ~/Downloads/zeus-sample-1.pcap
/opt/bro/share/bro/policy/frameworks/files/extract-all-files.bro
Everything fine, I have the malware sample but when I run the command
bro -r ~/Downloads/zeus-sample-1.pcap /opt/bro/share/bro/policy/fram
eworks/files/hash-all-files.bro I get no output, same for the command
detect-MHR.

So my questions are :
Did I miss something ? Was the output sent somewhere else than the current
repository ? (btw the executable is flagged red by almost 50 antivirus
engines on VirusTotal)
Is there any better solution for automated malware samples in files
detection ?

Thanks for your reply
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160901/1cee03e1/attachment.html 


More information about the Bro mailing list