[Bro] File extraction after checking hash.
fatema bannatwala
fatema.bannatwala at gmail.com
Tue Oct 4 05:34:15 PDT 2016
Thanks Seth for confirming!
I think we can go through the extractions afterwards and write some sort of
script to delete the dups. :)
And same for hashes, asked Wes Young about querying limit to cif server
(REN-ISAC) for hashes.
I know that we can query the cif server for a given hash, and get back the
results with cif confidence rate and other respective fields.
Hence will be writing some scripts to get unique hashes and malware execs
from traffic :)
Thanks!
Fatema.
On Mon, Oct 3, 2016 at 10:36 PM, Seth Hall <seth at icir.org> wrote:
>
> > On Oct 3, 2016, at 2:49 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Hence wanted to ask is it possible to add Files::ANALYZER_EXTRACT AFTER
> Files::ANALYZER_MD5 analyzer so that I can get the hash first to compare
> against the set before making a decision to extract the file?
>
> Unfortunately not. Since we don't know the hash of the file when we see
> the beginning we can't yet determine that we don't want to extract the
> file. Sort of a chicken and egg problem. :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161004/4453a38d/attachment.html
More information about the Bro
mailing list