[Bro] IOCs data for hashes.
fatema bannatwala
fatema.bannatwala at gmail.com
Tue Aug 30 10:46:35 PDT 2016
Thanks Justin for the answer.
Yeah, we realized that we were having some capture loss with our BRO
sensors, it's fixed now.
Thanks,
Fatema.
On Mon, Aug 29, 2016 at 2:13 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Aug 29, 2016, at 2:00 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Hi Chris,
> >
> > Thank you for the suggestions.
> > The detect-MHR.bro script is already enabled in the local.bro file, but
> I don't get any
> > logging in notice.log file corresponding to Malware hash registry.
> >
> > I looked at the script and the notice_threshold is set to 10 (10% min
> detection rate) which is reasonable,
> > but as I was analyzing a malware hash, detected by other IDS device and
> when checked on team cymru's lookup: https://hash.cymru.com had 26% as
> detection rate, realized that there were no logs in
> > files.log and notice.log files corresponding to that hash.
> > Bro didn't log any hash for the file transfer that transpired.
> > 1472425280.047247 Fs9rse1xsQgD2TIADa 220.243.237.153
> x.x.x.x CJFssC2o2RqHx6PJY8 HTTP 0 MD5,PE,SHA1
> application/x-dosexec - 11.101799 F F 2122412
> 20265152 18142740 0
>
> Those last 3 numbers are
>
> seen_bytes = 2122412
> total_bytes = 20265152
> missing_bytes = 18142740
>
> Bro did not see 90% of the bytes of the file, it can't hash what it didn't
> see.
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160830/8ac904c8/attachment.html
More information about the Bro
mailing list