[Bro] Bro --> Google Safe Browsing API?
John Green
john at giggled.org
Wed Mar 25 06:44:27 PDT 2015
On 25 March 2015 at 12:52, Doug Burks <doug.burks at gmail.com> wrote:
> Hello all,
>
> Has anybody developed a script to have Bro query the Google Safe Browsing
> API?
>
For bulk lookups you need to maintain a local copy of the chunks which are
basically black/white lists of hash prefixes of the canonicalised URL
(Bloom filter). This is the same data Chrome/Firefox use for safe browsing.
There is a reference implementation available which maintains a local
copy. Then your script just needs to hash the URL (or one of a number of
different permutations) and check the prefix if it is present in both
lists. If it is present in the blacklist then followup with a query to
Google for the full hash and compare.
I wrote some shoddy code a while ago against v2 of this spec to maintain a
local copy of the partial hashes within postgres.
https://github.com/j-o-h-n-g/Mortimer/blob/master/importgoogle.py
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150325/d90ee03c/attachment.html
More information about the Bro
mailing list