[Bro] Question on file hashes and cyrmu db

Dave DeChellis dave at dechellis.com
Sun Sep 7 13:59:27 PDT 2014 

Thanks to a few of you for helping me offline for this, I was sidetracked on
other projects.   I'm noticing some inconsistencies with Bro and the Cymru Hash
Servce on my Bro box (2.3)

1.   When i download some files I expect to match through the service, it fails
but it matches virustotal when I enter the MD5/SHA1 hash on their site.
2.   When I do get some matches from Cymru, I don't get the entry in notice.log
via the detect bro script.

I did change the detect-MHR.bro and made the following changes:  changed the
percent down to 1 (just to test) and added the .zip mime extension

I am running with checksums disabled and I've experienced this on a few bro
boxes including a virtual I have loaded.   For others who are doing dynamic
analysis of files for malware/viruses, is this the best approach?  Is there
anything else I could try before I dig deeper into the code?   I've verified
it's nothing stupid like DNS queries failing, what I haven't done is started to
dump the SHA256 to see if I have better luck with this hash value.

Also, the script seems to work with pcap files that people have provided so the
network could be the issue but I don't see any signs of packet loss, frame
errors or other data.

Thanks again
Dave

> On August 14, 2014 at 8:26 PM Dave DeChellis <dave at dechellis.com> wrote:
> 
>  Hello,
> 
>  I'm helping to customize an existing deployment of Bro and while I think I'm
> collecting all the file info correctly, I'm not hitting any matches when I run
> the hashes against cymru's database.   I was wondering if someone could
> confirm that none of these hashes match either.   I've run them against the
> DNS,Whois and web queries and had no luck.  I work at a very open place and I
> find it almost impossible that not one of the 1.7M hashes match.   In the
> event there are no matches, could someone point me to some sample pcap files
> so I can test my scripts?
> 
>  If someone wanted to help cross correlate my findings, I could send offline a
> .gz of 1.7M hashes from a few hours of collection.
> 
> 
>  Thanks again for any help or assistance
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140907/62548631/attachment.html

More information about the Bro mailing list