Hi,
I would like to run Bro 1.5.1. with lookups to the MHR,
since the 1.5 code allready contains the MD5 functions (?),
i assumed i only needed the:
http-cymru-malware-hash.bro
which i loaded into my site/local.bro
@load http-cymru-malware-hash.bro
and verified to be present through:
# broctl scripts | & grep cymru
http-cymru-malware-hash.bro
But i don't see any related logging, so i'm afraid of being
a little naive in my approach. Since i am totally new
at bro, i don't have a clue at how to debug the script.
thanks in advance for any help.
Ewald...
BTW i really like the functionality in Bro, it helped me discover bot
IRC traffic on port 80 and inst_n105.exe trojan dropper downloads from a
server in Russia.
Sorry about that. The situation with that script has kind of been a mess for a while. Recently I spent some time reworking it and integrating it into the rest of my scripts better. I'll finish that up today and update the repository. It will be much easier to run the script once I update it. The logging will be a lot better too.
I'll send an email when I make the update.
.Seth
Hi Seth,
Sorry for bothering you, but ..
did you get any further with the cleanup of the code?
I have used Bro for about two weeks now and it helps me
detect malware infections very well (i check for suspicious
downloads and redownload them myself). Allthough i really
would like the automation to check agains the MHR, my personal
findings indicate that the hashes are commonly not know.
Would it be an idea to check the hash against virustotal?
http://www.virustotal.com/buscaHash.html
don't know if the scripting language of Bro is even capable of
doing that. I wrote a perl script to do it from the commandline
but it uses WWW::Mechanize.
Perhaps a better idea for BRO/VT capabilities is to use an
intermediate system which does the hash checking with VT and
caches the results. Bro could than use simple http to check
the hash against the intermediate system.
just my thoughts, free flowing
thanks in advance,
Ewald Beekman...
Sorry for bothering you, but ..
did you get any further with the cleanup of the code?
I did. On Monday I pushed my changes to my my github repository but I just haven't had time to send an email about the changes yet. There are a lot of changes.
* My version of http-identified-files is now named http-ext-identified-files to avoid conflicts with the built in http-identified-files script.
* http-ext-identified-files doesn't require libmagic anymore and file signatures are now defined in http-ext-identified-files.sig.
* Software-ext can detect and log adobe flash player versions (more detected software coming soon) if http-ext is loaded.
- you also want to apply this patch if you load software-ext.. http://tracker.icir.org/bro/ticket/227
* Team Cymru MHR work is now done by http-hash.bro and the notice name has changed from HTTP_Malware to HTTP_MHR_Malware. This could change again at some point, I can't figure out which I like better.
* Please don't run dns-ext.bro. It *will* cause memory issues because it doesn't release state quickly enough. I'm going to fix that problem as soon as I have time and motivation.
If you want to see configuration options for the scripts, look in the "export" section near the top. I think I've documented each of the configuration options, but let me know if there are anymore options you'd like to have. I'm going to be writing documentation for all of these scripts soon with more detail than just "look at the export section". There are a lot of little tricks you can do to do further analysis that might not be readily apparent.
I have used Bro for about two weeks now and it helps me
detect malware infections very well
Great! The new version of the scripts makes it much easier to define what types of files you'd like to collect hashes for and logs those in the normal tab separated output format that I use for all of my scripts (documented in http-hash). Keep in mind that your Bro instance will slow down as you generate md5 sums for more file types. It could be worth testing the limits on your network though if you're interested in md5 sums for a few extra file types.
Would it be an idea to check the hash against virustotal?
That's definitely a legitimate idea and it would be great if they offered a DNS interface similar to Team Cymru. However, they don't so we can't do it right now.
Perhaps a better idea for BRO/VT capabilities is to use an
intermediate system which does the hash checking with VT and
caches the results. Bro could than use simple http to check
the hash against the intermediate system.
Matthias Vallentin has an idea for handling this sort of extended processing that can't currently be done (and possibly shouldn't be done) within Bro. I'll let him introduce his thoughts relating to your idea if he wants.
just my thoughts, free flowing
Keep them coming.
.Seth
In case anyone doesn't know the URL:
http://github.com/sethhall/bro_scripts
.Seth
> Perhaps a better idea for BRO/VT capabilities is to use an
> intermediate system which does the hash checking with VT and
> caches the results. Bro could than use simple http to check
> the hash against the intermediate system.
Matthias Vallentin has an idea for handling this sort of extended
processing that can't currently be done (and possibly shouldn't be
done) within Bro. I'll let him introduce his thoughts relating to
your idea if he wants.
It is already possible to process Bro events from a scripting language
(Ruby and Python currently) to perform time-intensive tasks separately,
without having to worry about real-time constraints. My idea is to push
this notion a little further by writing a framework that allows you to
(i) manage intelligence sources in a unified fashion, e.g.,
blacklist integration
(ii) generate/update both scripts and state remotely via broctl and
the event-based Broccoli channel
(iii) write high-level plug-ins (such as for Tor traffic, PDF
analysis, or CWSandbox malware execution) that offer a
consistent and interface to Bro using primitives from (ii)
Seth brought point (i) to my attention, so I throw the ball back to him
for details
Unfortunately, I am currently lacking the cycles to work on this idea.
But as soon as any of this is usable, you'll hear about it.
Matthias