[Bro] Bro Digest, Vol 122, Issue 6

[Andrew Beard]

Maybe I’m misunderstanding what you’re trying to do, but if the entire file has already been transferred (which you need to do to calculate the hash) there’s not a lot of hope of being able to block the file.  It’s already made it’s way across the wire.  I don’t think Bro has built-in blocking capabilities, but by waiting for the file hash it sounds like it’s already too late without some sort of proxy in the mix.  

> Date: Mon, 6 Jun 2016 17:29:48 +0200
> From: Giorgio Apuzzo <giorgio.apuzzo at gmail.com>
> Subject: [Bro] Question: How to block a malicious file
> To: bro at bro.org
> Message-ID: <1E582584-C84F-4E47-A032-BA640C922927 at gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> I?m trying to write a script that after checking on virus total the hash of a file will block it if malicious.
> I run a ruby script that checks the hash against virus total and return 0 if not malicious and more if not.
> I have looked into the documentation but I can?t figure out how to block a file once I know it?s malicious..
> 
> Do I need an external tool?
> 
> Thanks
> 
> Giorgio Apuzzo
> giorgio.apuzzo at gmail.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4205 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160606/4cfb99cd/attachment.bin