philosnef at gmail.com
Thu Sep 29 04:33:26 PDT 2016
As an aside, even after disabling pe_xor (out of curiosity), we are still
not seeing the filenames. Out of 74,000 file.log entries, only 620 have
filenames. Of those, 99.52% of them are f.txt filenames (from google)....
On Thu, Sep 29, 2016 at 7:22 AM, erik clark <philosnef at gmail.com> wrote:
> According to splunk/files.log, these list "pe_xor, md5, sha1,sha256" in
> the analyzer section. Its actually a lot more than that, and slight
> variations. Generally speaking, almost every entry is a variant of that 4
> analyzers. Could this be an issue with the pe_xor module? Moreover, files
> that we have filenames for (f.txt from google for instance) have the same
> analyzers running as well.
> On Wed, Sep 28, 2016 at 10:16 PM, Seth Hall <seth at icir.org> wrote:
>> > On Sep 28, 2016, at 1:50 PM, erik clark <philosnef at gmail.com> wrote:
>> > 98% of all entries in our files.log are null values. Is this to be
>> What analyzers are the files coming from?
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro