[Bro] Performing file analysis with bro

Daniel Guerra daniel.guerra69 at gmail.com
Fri Apr 1 12:08:01 PDT 2016 

Hi Tony,

This is a nice example

https://www.bro.org/sphinx/_downloads/detect-MHR.bro <https://www.bro.org/sphinx/_downloads/detect-MHR.bro>

Regards,

Daniel

> On 01 Apr 2016, at 16:38, Tony Waller <twaller at bivio.net> wrote:
> 
> Hello,
> 
> I am trying to write a bro event that matches this example content conditions:
> 
> Payload string 1: content: "eaio" - This is example hex string
> Payload string 2: content: ".exe HTTP"
> 
> When I look at file analysis it talk about the framework but leaves me to believe that it will only look at hash information. Any suggestions? 
> 
> Sincerely,
> 
> Tony
> 
> 
> Tony Waller, CISSP
> Director, Systems Engineering
> Bivio Networks, Inc.
> “Powering Advanced Cyber Operations” (TM)
> Mobile (443) 994-0936
> 
> <CB97AD91-2E15-43EE-A2B4-B3542935CCB5[8].png>
> 
> *Note: The information contained in this email confidential. This information is intended only for the individual, individuals or entity to whom it is addressed. If you are not the intended recipient(s), the employee or agent responsible for delivering it to the intended recipient(s), you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please return the original message to us by email and delete or destroy any copies. Please note any views or opinions expressed or presented in this email are solely those of the author and do not necessarily represent those of Bivio Networks, Inc. The recipient should check this email or any attachments for the presence of viruses or malware. Bivio Networks, Inc. accepts no responsibility for any damage caused by any virus or malware transmitted by this email. Thank you.
> 
> Think Green when printing  
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160401/def5573e/attachment.html

More information about the Bro mailing list