[Bro] MD5 Hashing
Mike Sconzo
sconzo at visiblerisk.com
Tue Mar 13 12:54:27 PDT 2012
Will the changes in 2.1 allow for passing of data to an MD5 function?
Or will it (the file analysis policy) use protocol knowledge + magic
number to determine if it should be MD5'd or not?
I only ask because seeing an exe downloaded with a mime type of
image/jpg is not completely uncommon.
On Tue, Mar 13, 2012 at 2:30 PM, Seth Hall <seth at icir.org> wrote:
>
> On Mar 13, 2012, at 3:24 PM, Chris Crawford wrote:
>
>> So, hypothetically, if I wanted SMTP to MD5 hash all mime types that
>> are image.* or application.*, I would add the lines below to my
>> local.bro?
>>
>> redef SMTP::generate_md5 += /image.*/;
>> redef SMTP::generate_md5 += /application.*/;
>
> Yep, just keeping in mind that the PDF mime type falls within application/ too (and a number of others).
>
>> I'm assuming that the += operator appends new regular expressions. Is
>> that correct?
>
>
> Correct.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
cat ~/.bash_history > documentation.txt
More information about the Bro
mailing list