[Bro] IOCs data for hashes.
Azoff, Justin S
jazoff at illinois.edu
Mon Aug 29 11:13:49 PDT 2016
> On Aug 29, 2016, at 2:00 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Hi Chris,
>
> Thank you for the suggestions.
> The detect-MHR.bro script is already enabled in the local.bro file, but I don't get any
> logging in notice.log file corresponding to Malware hash registry.
>
> I looked at the script and the notice_threshold is set to 10 (10% min detection rate) which is reasonable,
> but as I was analyzing a malware hash, detected by other IDS device and when checked on team cymru's lookup: https://hash.cymru.com had 26% as detection rate, realized that there were no logs in
> files.log and notice.log files corresponding to that hash.
> Bro didn't log any hash for the file transfer that transpired.
> 1472425280.047247 Fs9rse1xsQgD2TIADa 220.243.237.153 x.x.x.x CJFssC2o2RqHx6PJY8 HTTP 0 MD5,PE,SHA1 application/x-dosexec - 11.101799 F F 2122412 20265152 18142740 0
Those last 3 numbers are
seen_bytes = 2122412
total_bytes = 20265152
missing_bytes = 18142740
Bro did not see 90% of the bytes of the file, it can't hash what it didn't see.
--
- Justin Azoff
More information about the Bro
mailing list