[Bro] BRO & Malware Hash Registry

Matthias Vallentin vallentin at ICSI.Berkeley.EDU
Wed Mar 10 11:22:18 PST 2010


> > Perhaps a better idea for BRO/VT capabilities is to use an
> > intermediate system which does the hash checking with VT and
> > caches the results. Bro could than use simple http to check
> > the hash against the intermediate system.
> 
> Matthias Vallentin has an idea for handling this sort of extended  
> processing that can't currently be done (and possibly shouldn't be  
> done) within Bro.  I'll let him introduce his thoughts relating to  
> your idea if he wants.

It is already possible to process Bro events from a scripting language
(Ruby and Python currently) to perform time-intensive tasks separately,
without having to worry about real-time constraints. My idea is to push
this notion a little further by writing a framework that allows you to 

      (i) manage intelligence sources in a unified fashion, e.g.,
          blacklist integration
     (ii) generate/update both scripts and state remotely via broctl and
          the event-based Broccoli channel
    (iii) write high-level plug-ins (such as for Tor traffic, PDF
          analysis, or CWSandbox malware execution) that offer a
          consistent and interface to Bro using primitives from (ii) 

Seth brought point (i) to my attention, so I throw the ball back to him
for details :-)

Unfortunately, I am currently lacking the cycles to work on this idea.
But as soon as any of this is usable, you'll hear about it.

   Matthias
-- 
Matthias Vallentin
vallentin at icir.org
http://www.icir.org/matthias



More information about the Bro mailing list