[Bro] IOCs data for hashes.

philosnef philosnef at yahoo.com
Mon Aug 29 13:31:14 PDT 2016 

Ok, so if you have a highly active network pushing many gigs of traffic, then it seems like hash based iocs are not likely to be reliable....
However, ssdeep hashing by bro would likely not be as severely impacted, correct? 

    On Monday, August 29, 2016 3:00 PM, "bro-request at bro.org" <bro-request at bro.org> wrote:
 

 Send Bro mailing list submissions to
    bro at bro.org

To subscribe or unsubscribe via the World Wide Web, visit
    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
    bro-request at bro.org

You can reach the person managing the list at
    bro-owner at bro.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."


Today's Topics:

  1. Re: IOCs data for hashes. (Azoff, Justin S)


----------------------------------------------------------------------

Message: 1
Date: Mon, 29 Aug 2016 18:13:49 +0000
From: "Azoff, Justin S" <jazoff at illinois.edu>
Subject: Re: [Bro] IOCs data for hashes.
To: fatema bannatwala <fatema.bannatwala at gmail.com>
Cc: "bro at bro.org" <bro at bro.org>
Message-ID: <5DB1A6D9-5318-4B2B-8CA0-50E5D8CB3DC2 at illinois.edu>
Content-Type: text/plain; charset="us-ascii"


> On Aug 29, 2016, at 2:00 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> 
> Hi Chris,
> 
> Thank you for the suggestions.
> The detect-MHR.bro script is already enabled in the local.bro file, but I don't get any
> logging in notice.log file corresponding to Malware hash registry.
> 
> I looked at the script and the notice_threshold is set to 10 (10% min detection rate) which is reasonable,
> but as I was analyzing a malware hash, detected by other IDS device and when checked on team cymru's lookup: https://hash.cymru.com had 26% as detection rate, realized that there were no logs in
> files.log and notice.log files corresponding to that hash. 
> Bro didn't log any hash for the file transfer that transpired. 
> 1472425280.047247      Fs9rse1xsQgD2TIADa      220.243.237.153  x.x.x.x      CJFssC2o2RqHx6PJY8      HTTP    0      MD5,PE,SHA1    application/x-dosexec  -      11.101799      F      F      2122412 20265152      18142740 0

Those last 3 numbers are

seen_bytes    = 2122412
total_bytes  = 20265152
missing_bytes = 18142740

Bro did not see 90% of the bytes of the file, it can't hash what it didn't see.

-- 
- Justin Azoff




------------------------------

_______________________________________________
Bro mailing list
Bro at bro.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


End of Bro Digest, Vol 124, Issue 34
************************************


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160829/270c7a85/attachment.html

More information about the Bro mailing list