[Bro] Question on file hashes and cyrmu db
Seth Hall
seth at icir.org
Mon Sep 8 06:28:06 PDT 2014
On Sep 7, 2014, at 4:59 PM, Dave DeChellis <dave at dechellis.com> wrote:
> 2. When I do get some matches from Cymru, I don't get the entry in notice.log via the detect bro script.
How do you know you get a match from Team Cymru if it doesn't show up in your notice.log?
> I did change the detect-MHR.bro and made the following changes: changed the percent down to 1 (just to test) and added the .zip mime extension
You should really avoid making changes to that file. Instead you should have done this in local.bro (or elsewhere, just a script you control):
redef TeamCymruMalwareHashRegistry::match_file_types += /application\/zip/;
redef TeamCymruMalwareHashRegistry::notice_threshold = 1;
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list