[Bro] Bro + Yara File Scanning Module?

Kurt Grutzmacher grutz at jingojango.net
Fri Jul 25 08:01:13 PDT 2014


These solutions are very awesome and mirror the path we are taking at Cisco
with OpenSOC to scale up and out. I'll be speaking a bit deeper about our
plans at BroCon in a few weeks but the theories are very similar: gather
telemetry data (bro logs), gather intelligence data (yara results, threat
intel lists, etc), inspect (storm, python scripts, etc).

For this specific instance we queue the logs through kafka to enter our
storm topology and plan to throw the files into hdfs for retention/deeper
analysis.



--
 Kurt Grutzmacher -=- grutz at jingojango.net


On Fri, Jul 25, 2014 at 7:38 AM, Mike Reeves <luke at geekempire.com> wrote:

> The process I use is I have all of the files being written to a directory
> then a python scripts monitors that for new files. It uses a Redis keystore
> and checks the sha256 of the file.  If it exists in the keystore it simply
> deletes the file and moves on. If it does not exist it adds it to the
> keystore and then moves it somewhere else. This could be Yara or whatever.
> I will see if I can dig it up but it was rather simple python. I did this
> because I didn’t want to tie up Bro especially if you are seeing high file
> volume.
>
> Mike
>
> On Jul 25, 2014, at 10:03 AM, Jason Batchelor <jxbatchelor at gmail.com>
> wrote:
>
> > Hello all:
> >
> > I wanted to poke the hive mind to see if anyone has considered, or is
> actively pursuing integrating Yara into a Bro script?
> >
> > An idea for a script I would like to write is to simply take any file
> from a 'file_new' event. Then add something like Files::ANALYZER_YARA that
> would do the heavy lifting and take a user defined path to a master Yara
> file, scan the file, append the results to either files.log or notice.log,
> and finally, extract any file that hit on a signature (for further
> analysis).
> >
> > Interested if this is something that has been considered previously? If
> so, what were the results? If not, I'm happy to spin off an effort of my
> own. Either way I see it as a good project to get into Bro scripting at a
> deeper level.
> >
> > Thanks,
> > Jason
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140725/53059d19/attachment.html 


More information about the Bro mailing list