[Bro] IOCs data for hashes.
philosnef
philosnef at yahoo.com
Mon Aug 29 13:31:14 PDT 2016
Ok, so if you have a highly active network pushing many gigs of traffic, then it seems like hash based iocs are not likely to be reliable....
However, ssdeep hashing by bro would likely not be as severely impacted, correct?
On Monday, August 29, 2016 3:00 PM, "bro-request at bro.org" <bro-request at bro.org> wrote:
Send Bro mailing list submissions to
bro at bro.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
bro-request at bro.org
You can reach the person managing the list at
bro-owner at bro.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."
Today's Topics:
1. Re: IOCs data for hashes. (Azoff, Justin S)
----------------------------------------------------------------------
Message: 1
Date: Mon, 29 Aug 2016 18:13:49 +0000
From: "Azoff, Justin S" <jazoff at illinois.edu>
Subject: Re: [Bro] IOCs data for hashes.
To: fatema bannatwala <fatema.bannatwala at gmail.com>
Cc: "bro at bro.org" <bro at bro.org>
Message-ID: <5DB1A6D9-5318-4B2B-8CA0-50E5D8CB3DC2 at illinois.edu>
Content-Type: text/plain; charset="us-ascii"
> On Aug 29, 2016, at 2:00 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Hi Chris,
>
> Thank you for the suggestions.
> The detect-MHR.bro script is already enabled in the local.bro file, but I don't get any
> logging in notice.log file corresponding to Malware hash registry.
>
> I looked at the script and the notice_threshold is set to 10 (10% min detection rate) which is reasonable,
> but as I was analyzing a malware hash, detected by other IDS device and when checked on team cymru's lookup: https://hash.cymru.com had 26% as detection rate, realized that there were no logs in
> files.log and notice.log files corresponding to that hash.
> Bro didn't log any hash for the file transfer that transpired.
> 1472425280.047247 Fs9rse1xsQgD2TIADa 220.243.237.153 x.x.x.x CJFssC2o2RqHx6PJY8 HTTP 0 MD5,PE,SHA1 application/x-dosexec - 11.101799 F F 2122412 20265152 18142740 0
Those last 3 numbers are
seen_bytes = 2122412
total_bytes = 20265152
missing_bytes = 18142740
Bro did not see 90% of the bytes of the file, it can't hash what it didn't see.
--
- Justin Azoff
------------------------------
_______________________________________________
Bro mailing list
Bro at bro.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
End of Bro Digest, Vol 124, Issue 34
************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160829/270c7a85/attachment.html
More information about the Bro
mailing list