[Bro] File extraction after checking hash.
Jan Grashöfer
jan.grashoefer at gmail.com
Tue Oct 4 13:22:06 PDT 2016
>> Do you know that the intel framework supports hashes? If you export a
> feed of hashes from CIF you can load that into bro and do the alerting on
> known hashes bad in real time.
>
> Yes. And that was the plan, but unfortunately, I couldn't get the list of
> the feeds (hashes) pulled down from REN-ISAC
If you come up with a feed, using the intel framework should be straight
forward. We did a POC, extracting files (I think below 100MB) and just
preserve them in case of an intel hit (see
https://github.com/J-Gras/intel-extensions/blob/master/scripts/preserve_files.bro).
The only thing to set up except extraction and this script is a cron job
deleting the extracted files that aren't of interest. To avoid dups one
might want to name the extracted files according to their hash or
something like that.
Jan
More information about the Bro
mailing list