[Bro] File Scanning Capability
Will
baxterw3232 at gmail.com
Mon Mar 21 12:44:01 PDT 2011
On Mon, Mar 21, 2011 at 2:49 PM, Seth Hall <seth at icir.org> wrote:
>
> On Mar 21, 2011, at 2:16 PM, Will wrote:
>
> > I will without a doubt eventually incorporate
> "http-ext-identified-files.sig" instead of what I am currently using, but I
> am having trouble determining where to integrate the logic for handling each
> file type. As it currently works, I am saving off every pdf and word doc,
> which would be unnecessary if I used bro to call the external tools and
> evaluate the results.
>
> >>That won't actually work quite right. The http-ext-identified-files.sig
> file uses special signature keywords that the http analyzer >>provides to
> detect file types. It's not directly applicable to SMTP/MIME transfers.
>
> Understandable. Being that there are so many different types it would be
beneficial enough to create a signature file for SMTP/MIME. I would be happy
to share it when I get it done.
> > Current logic (this method calls for the external tools to be run against
> the directory by cron and are independent of Bro):
> > hot_attachment_dump_fh = open( hot_attachment_dumpname );
> > write_file(hot_attachment_dump_fh, data);
> > close(hot_attachment_dump_fh);
>
> >>In what event are you currently running using this code?
>
Here is the entire event:
event mime_entity_data(c: connection, length: count, data: string)
{
local session = get_session(c, T);
#md5 hashing is now a builtin function, so just call it and dumpthe
result into the content_hash field
#that field in the info struct was already there, just had to add
this to fill it.
session$content_hash = md5_hash(data);
#log the first 256 bytes of the attachment and the MD5 hash.
mime_log_msg(session, "data", fmt("%d: %s", length, sub_bytes(data,
0, 256)));
mime_log_msg(session, "all data", fmt("MD5: %s",
session$content_hash));
#if the hot flag is set then we dump the MIME-decoded attachment to
it's own file for analysis
if( session$entity_is_hot )
{
if ( session$entity_filename == hot_pdf_attachment_filenames )
{
#build the filename out of MD5, length and filename
hot_attachment_dumpname = fmt("dumped_pdf_files\/%s:%d:%s",
session$content_hash, length, session$entity_filename);
}
if ( session$entity_filename == hot_word_attachment_filenames )
{
hot_attachment_dumpname = fmt("dumped_doc_files\/%s:%d:%s",
session$content_hash, length,session$entity_filename);
}
#get a raw filehandle, notice open() instead of open_log_file(),
write the data out, and be sure to close the fh
hot_attachment_dump_fh = open( hot_attachment_dumpname );
write_file(hot_attachment_dump_fh, data);
close(hot_attachment_dump_fh);
#log stuff to the hot logfile as well
mime_log_hot_msg(session, "hot data", fmt("%d: %s", length,
sub_bytes(data, 0, 256)));
mime_log_hot_msg(session, "hot data", fmt("File dumped: %s MD5: %s",
session$entity_filename, session$content_hash));
}
I attached the modifed mime.bro in case anyone wanted to see the how the
rest of it.
> The scan for office docs would be similiar, but use 'OfficeMalScanner'
> instead of pdfid.py and pdf-parser.py. If I get this to work, I would like
> to do something very similar with http files.
>
> Makes sense.
>
> > How can I call the external tools? Is this the right place to be doing
> this?
>
> You can't currently do this in a way that would be feasible on live
> traffic. The problem is that the call to the external tool would block Bro
> and cause it to start dropping packets. There is a "when" statement that
> can help build asynchronous function calls though. So that the stack state
> will be saved and used again when the function call returns. I don't know
> if the system() (I think this is what you're looking for to run external
> programs) function can be used with the when statement though.
I suppose the short answer is yes. I was looking for something like the
system() call. Like modifying the PyBroccoli Example from below:
PyBroccoli Example:
@event
def pong(src_time, dst_time):
print "pong event: time=%f/%f s" % \
(dst_time - src_time, current_time() - src_time)
bc = Connection("127.0.0.1:47758")
bc.send("ping", time(current_time()))
To:
@event (event == dumped pdf file)
def pass_pdf(file):
system(pdf_scan.py -f dumped_file.pdf > tempdir)
With what you mentioned taken into account, we can't ask bro to wait on the
results, but maybe we could dump the results to a logfile for alerting?
> If you are looking to run this on tracefiles for now though, you can
> certainly just use the system function to call your external tool. It takes
> a single argument (a string) that is the command line you'd like to run.
> There is a function for defanging data if you need to do that too (taking
> something off the line and using it in the command line) named
> str_shell_escape. You do need to make sure that the data that is defanged
> with str_shell_escape is placed within double-quotes.
>
> > I would be surprised if this capability doesn't already exist and suppose
> I might be going about this all wrong. I would just prefer to incorporate
> the file scans in Bro vice running them completely independently. If I
> wasn't clear or am completely out in left field feel free to be honest. I
> won't be offended.
>
> Nope, not out in left field at all and personally I'm a bit ashamed I never
> wrote a mime-ext.bro script that was a bit more capable like the http-ext
> script. I'm going to be rewriting the mime.bro script for the next release
> though and it will definitely have file extraction and identification
> capabilities built into it. However, we are going to be working toward a
> much more generalized notion of files for some future release of Bro. I've
> worked a bit on how that may proceed, but unfortunately we definitely won't
> be anywhere close to ready with that for the next release.
>
<sarcasm>
Maybe you should charge "more" for Bro...
</sarcasm>
No, you all are doing a great job on this project. I just wish I could do
more to help.
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110321/24f6c184/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mime.bro
Type: application/octet-stream
Size: 11934 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110321/24f6c184/attachment.obj
More information about the Bro
mailing list