Maybe I’m misunderstanding what you’re trying to do, but if the entire file has already been transferred (which you need to do to calculate the hash) there’s not a lot of hope of being able to block the file. It’s already made it’s way across the wire. I don’t think Bro has built-in blocking capabilities, but by waiting for the file hash it sounds like it’s already too late without some sort of proxy in the mix.