Bro script to detect XOR'd executables

Hello list,

I’ve been working on my first real bro script and I had a couple questions. It uses the File API to detect the transfer of XOR’d Windows executables, the code is at https://github.com/justbeck/bro-xorpe.

My questions are:

  • Is the file object in the file_new event guaranteed to have the beginning of the captured file? If not, is there a better location to hook the analysis into?

  • What’s the performance impact of running a script like this on a large pipe? The script runs several (quasi) loops for each file_new event and I only have my home network to test it on.

  • Following on the last question, Is there a better way to do bitwise operations in Bro scripts besides creating a huge lookup table?

Thanks,

Daniel

- Is the file object in the file_new event guaranteed to have the beginning of the captured file? If not, is there a better location to hook the analysis into?

No, you aren't guaranteed that it's the beginning of the file. You should be able to inspect the file record though to see if you have gotten the begging of the file although I'm blanking on how exactly you'd do that at the moment.

- What's the performance impact of running a script like this on a large pipe? The script runs several (quasi) loops for each file_new event and I only have my home network to test it on.

Not sure, but likely to have a lot of overhead. There is quite a bit of code there that runs for each file. The best way to find out is to run it on a larger network though.

- Following on the last question, Is there a better way to do bitwise operations in Bro scripts besides creating a huge lookup table?

Unfortunately not at the moment. There have been a number of discussions where we've talked about adding bitwise operators to Bro but we've never come to any firm conclusion.

Anyway, overall it's a really neat script. Nice job!

  .Seth