[Bro] IOCs data for hashes.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Aug 31 06:36:43 PDT 2016


Hi ,

I wanted to ask that is there a framework that is available to
integrate bro with virusTotal as well, just like it uses TeamCymru's MHR
to check the hashes against?

The issue is that we get a very low detection rate with MHR, i.e we see a
good number
of hashes that are detected as malware/Trojan by other IDS devices, and
same hashes when checked against
MHR by bro, we do not get any records in notice.log as they come out clean
by MHR.
I realized that virusTotal has a pretty decent detection rate for those
hashes.

I haven't looked into details of the framework used to integrate BRO with
MHR,
but thinking if the same can be done with virusTotal, hence wanted to
confirm whether this
is something achievable using BRO or not, before diving deep into it.

Appreciate the help.

Thanks,
Fatema.

On Tue, Aug 30, 2016 at 1:46 PM, fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:

> Thanks Justin for the answer.
> Yeah, we realized that we were having some capture loss with our BRO
> sensors, it's fixed now.
>
> Thanks,
> Fatema.
>
> On Mon, Aug 29, 2016 at 2:13 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Aug 29, 2016, at 2:00 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>> >
>> > Hi Chris,
>> >
>> > Thank you for the suggestions.
>> > The detect-MHR.bro script is already enabled in the local.bro file, but
>> I don't get any
>> > logging in notice.log file corresponding to Malware hash registry.
>> >
>> > I looked at the script and the notice_threshold is set to 10 (10% min
>> detection rate) which is reasonable,
>> > but as I was analyzing a malware hash, detected by other IDS device and
>> when checked on team cymru's lookup: https://hash.cymru.com had 26% as
>> detection rate, realized that there were no logs in
>> > files.log and notice.log files corresponding to that hash.
>> > Bro didn't log any hash for the file transfer that transpired.
>> > 1472425280.047247       Fs9rse1xsQgD2TIADa      220.243.237.153
>>  x.x.x.x      CJFssC2o2RqHx6PJY8      HTTP    0       MD5,PE,SHA1
>>  application/x-dosexec   -       11.101799       F       F       2122412
>> 20265152      18142740 0
>>
>> Those last 3 numbers are
>>
>> seen_bytes    = 2122412
>> total_bytes   = 20265152
>> missing_bytes = 18142740
>>
>> Bro did not see 90% of the bytes of the file, it can't hash what it
>> didn't see.
>>
>> --
>> - Justin Azoff
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160831/15a65b8f/attachment-0001.html 


More information about the Bro mailing list