[Bro] Question on file hashes and cyrmu db
Dave DeChellis
dave at dechellis.com
Sun Sep 7 13:59:27 PDT 2014
Thanks to a few of you for helping me offline for this, I was sidetracked on
other projects. I'm noticing some inconsistencies with Bro and the Cymru Hash
Servce on my Bro box (2.3)
1. When i download some files I expect to match through the service, it fails
but it matches virustotal when I enter the MD5/SHA1 hash on their site.
2. When I do get some matches from Cymru, I don't get the entry in notice.log
via the detect bro script.
I did change the detect-MHR.bro and made the following changes: changed the
percent down to 1 (just to test) and added the .zip mime extension
I am running with checksums disabled and I've experienced this on a few bro
boxes including a virtual I have loaded. For others who are doing dynamic
analysis of files for malware/viruses, is this the best approach? Is there
anything else I could try before I dig deeper into the code? I've verified
it's nothing stupid like DNS queries failing, what I haven't done is started to
dump the SHA256 to see if I have better luck with this hash value.
Also, the script seems to work with pcap files that people have provided so the
network could be the issue but I don't see any signs of packet loss, frame
errors or other data.
Thanks again
Dave
> On August 14, 2014 at 8:26 PM Dave DeChellis <dave at dechellis.com> wrote:
>
> Hello,
>
> I'm helping to customize an existing deployment of Bro and while I think I'm
> collecting all the file info correctly, I'm not hitting any matches when I run
> the hashes against cymru's database. I was wondering if someone could
> confirm that none of these hashes match either. I've run them against the
> DNS,Whois and web queries and had no luck. I work at a very open place and I
> find it almost impossible that not one of the 1.7M hashes match. In the
> event there are no matches, could someone point me to some sample pcap files
> so I can test my scripts?
>
> If someone wanted to help cross correlate my findings, I could send offline a
> .gz of 1.7M hashes from a few hours of collection.
>
>
> Thanks again for any help or assistance
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140907/62548631/attachment.html
More information about the Bro
mailing list