[Bro] MD5 Hashing
Seth Hall
seth at icir.org
Tue Mar 13 11:55:42 PDT 2012
On Mar 13, 2012, at 2:22 PM, Chris Crawford wrote:
> What is the correct way to turn on MD5 hashing in SMTP and HTTP logs?
> Which variables do I need to set in my share/bro/site/local.bro ?
# Windows executables are hashed by default (it's a regex matching the mime type of the file)
redef HTTP::generate_md5 += /image.*/;
redef SMTP::generate_md5 += /image.*/;
Those were pulled from these pages in our docs…
http://www.bro-ids.org/documentation/scripts/base/protocols/http/file-hash.html#id-HTTP::generate_md5
http://www.bro-ids.org/documentation/scripts/base/protocols/smtp/entities.html#id-SMTP::generate_md5
This is being seriously reworked for 2.1 right now too. There is going to be a file analysis policy where you will be able to be declare more easily with much better granularity when you'd like to do certain analyses.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list