[Bro] Question on file hashes and cyrmu db
Dave DeChellis
dave at dechellis.com
Mon Sep 8 15:09:34 PDT 2014
> On September 8, 2014 at 8:28 AM Seth Hall <seth at icir.org> wrote:
>
>
>
> On Sep 7, 2014, at 4:59 PM, Dave DeChellis <dave at dechellis.com> wrote:
>
> > 2. When I do get some matches from Cymru, I don't get the entry in
> > notice.log via the detect bro script.
>
> How do you know you get a match from Team Cymru if it doesn't show up in your
> notice.log?
I manually dumped the MD5/SHA1 hashes from files.log and imported it into their
web portal. For the ones that matches, I confirmed that the DNS query returned a
match also.
>
> > I did change the detect-MHR.bro and made the following changes: changed the
> > percent down to 1 (just to test) and added the .zip mime extension
>
> You should really avoid making changes to that file. Instead you should have
> done this in local.bro (or elsewhere, just a script you control):
>
> redef TeamCymruMalwareHashRegistry::match_file_types += /application\/zip/;
> redef TeamCymruMalwareHashRegistry::notice_threshold = 1;
>
Thanks again
Dave
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140908/501f578c/attachment.html
More information about the Bro
mailing list