[Bro] IOCs data for hashes.

Ed Sealing ed.sealing at sealingtech.org
Mon Aug 29 07:39:26 PDT 2016


MITRE and NIST have been putting some efforts into the "Malware Attribute
Enumeration and Characterization (MAEC)" standard. I haven't done much work
with it, but it's worth looking into. They have a list of datasets at
https://github.com/MAECProject/datasets.

Sending the hashes out to services like VirusTotal or Team CYMRU is another
widely used option. This is all covered under the Bro File Extraction
Exercise on the website (https://www.bro.org/current/exercises/faf/)

If you are trying to do this without sending any information over the
internet, there are in-house implementations that are available for
commercial use. Opswat Meta-defender is an example of a commercially
available multi-AV platform with an API that Bro can interface with.
https://www.opswat.com/metadefender-core

Hope this helps.

~Ed

On Mon, Aug 29, 2016 at 9:30 AM, fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:

> Hi,
>
> I am working with BRO, trying to add the capability of malware detection
> using Bro.
> I am already using the intel framework provided by Bro and feeding IOC
> data into it.
> It successfully detects and logs the connection having bad IPs and domains
> in intel.log file.
> The functionality I would like to add is to detect any malware downloaded
> by any of the endpoints, and for that I need some good IOC data of hashes.
> I searched the internet for IOCs hashes but couldn't fine any good source
> for it.
> Does anyone have any pointers in the same direction? or any other magic
> that can be used to accomplish the same purpose?
>
> Thanks,
> Fatema.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

R/S

*Ed Sealing President / CEO*
*CISSP, CEH, RHCSA*

7226 Lee Deforest Dr.
Columbia, MD 21046
Mobile: (301) 885-6947
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160829/fa879dab/attachment.html 


More information about the Bro mailing list