file hashing, and virustotal api

All,

Thanks for all the help on my previous question, but now I have another. I would like to take the hashed values of files that bro see’s and check them against virustotal using their API Key. Additionally id like to take the results of the lookup and determine if there are a certain number of hits then look to see if our current anti-virus is one of them and if not fire a notice. logic looks like this

if virus total hits is > 8
see if anti-virus vendor is true

if yes fire notice, if not end script.

the problem I am running into here is making the request out with bro. The current framework only returns the number of hits, I think this method could be more useful depending on the return, so long as I can make the outbound request. Any input or ideas would be very helpful, and once again if this is documented somewhere pointing me in that direction would be fine as well.

Thanks again for the help,

BC

Here’s a script I presented at the recent Bro4Pros event. virus-total.bro has the core code and vt-hashing.bro integrates with the file analysis.

  .Seth

virus-total.bro (2.74 KB)

vt-hashing.bro (1.09 KB)