I’ve just installed a security onion (the last release in date) for testing purposes and I’m trying to extract files plus scan them with virustotal or any other engine in an automated way.
I’ve seen the script detect-MHR.bro that seems appropriate for that.
I’ve downloaded a pcap containing some adult websites samples including malware executables downloaded by the client.
I’ve ran the command bro -r ~/Downloads/zeus-sample-1.pcap /opt/bro/share/bro/policy/frameworks/files/extract-all-files.bro
Everything fine, I have the malware sample but when I run the command
bro -r ~/Downloads/zeus-sample-1.pcap /opt/bro/share/bro/policy/frameworks/files/hash-all-files.bro I get no output, same for the command detect-MHR.
So my questions are :
Did I miss something ? Was the output sent somewhere else than the current repository ? (btw the executable is flagged red by almost 50 antivirus engines on VirusTotal)
Is there any better solution for automated malware samples in files detection ?
Thanks for your reply