[Bro] File extraction after checking hash.
Azoff, Justin S
jazoff at illinois.edu
Tue Oct 4 11:40:30 PDT 2016
> On Oct 4, 2016, at 1:39 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
>
> And, then I can grep the hashes with uniq_hash=T and query the cif server for analysis.
> Also, can script to get the name of the extracted file from the 'extracted' field in files.log with uniq_hash=F
> and delete that file almost realtime, after Bro has extracted that file.
Do you know that the intel framework supports hashes? If you export a feed of hashes from CIF you can load that into bro and do the alerting on known hashes bad in real time.
> Before I can test it in production, I want to ask if there is a way I can delete the contents of set uniq_hashes right at the midnight
> so that we can get unique files and hashes on a daily basis logged in files.log? I don't want that variable to grow out of bound,
> consuming lot of memory, hence thought 1 day should be reasonable period of time to flush the contents of the set and exact time line
> will give an idea of uniq hashes queried daily and no. of execs extracted on daily basis.
You can probably do it using something like this:
global SECONDS_IN_DAY = 60*60*24;
function midnight(): time
{
local now = network_time();
local dt = time_to_double(now);
local mn = double_to_count(dt / SECONDS_IN_DAY) * SECONDS_IN_DAY;
return double_to_time(mn);
}
function interval_to_midnight(): interval
{
return midnight() - network_time();
}
event reset_hashes()
{
uniq_hashes = set(); #I think this is the proper way to clear a set?
}
event bro_init()
{
print "Time to midnight:", interval_to_midnight();
schedule interval_to_midnight() { reset_hashes()};
}
I think that might work properly except for the timezone being in UTC, so it might need to be adjusted, or something different altogether
Seth has this plugin: https://github.com/sethhall/bro-approxidate
which would let you do
local md = approxidate("midnight");
If it was packaged for bro-pkg it would be easier to install though :-)
The known hosts/services/certs scripts need a framework to do things like this, so 2.6 may end up having this as a built in feature.
--
- Justin Azoff
More information about the Bro
mailing list