Help needed on Detect-MHR

Hi there, new to the community here.

Not sure why, but Zeek is not detecting the malwares I have downloaded over HTTP (live capture and in pcap analysis). I understand that the MHR is enabled by default, but somehow, Zeek is not picking it up.

I’ve checked my configurations in the local.zeek file, but all looks fine - the MHR script is loaded, sha256 is also enabled and I am also able to extract files. My Zeek version is 6.0.0.

I’m following this walkthrough: Zeekurity Zen – Part VI: Zeek File Analysis Framework - ericooi.com

I’m not sure if this is the right place to ask, if it is not, are you also able to point me to where I can get help? Thanks.

Regards,
meep

This is the right place :slight_smile:

Would you be able to share md5s, sha1 and sha256 that you expect to be detected from your files.log?

To see if the detect-MHR.zeek script could possibly work, on the same system where you run Zeek, does a manual lookup for the hash using dig work? (replacing the hash with what you suspect is malware from your files.log).

dig +short 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467.hash.cymru.com TXT
"1649591578 87"

See the following documentation for details about the result string (scan time and detection rate):
https://hash.cymru.com/docs_dns

Thanks,
Arne

Hi Arne,

Thank you for the suggestion.

The file that I was expecting to detect from my files.log is a file named wildfire-test-elf-file (from this link: Test a Sample Malware File)

The file hashes of the test files are:
32decb3d24368d5b007f9048abcfa580 (md5)
c6585e8d613d96037b7ea92f62f129e52ca2b5081b293c8e453cef1dbc3c7fb9 (sha256)
93551df35d52b66ad0229be8a9c87a36cb6b2f73 (sha1)

Within my log capture of files.log, it shows the following:
cat files.log | zeek-cut sha256
7bfbc8202b8cdbdcc597a0e789240f0dc0b0e94fa6597e576eaf436bc6223e18
81b2bd4ea98c8db66554fbc8d7637a1a69a130f331feb732b75caab4c4868fd5
a873f375b5132cc5f4c3a531bf57abe83b3936c2b1c742cbc04a28f17bc5cf1d
e2750a810b5d7405c322dabefe717e9349dc06a7aaace9443708107cdecd2b6f
6f1df91de8aad3b9ad10eb0f04bd99448a6fa0a588066dc39e219e99262c150d
79180ae495a9c40b9f58eaaeff97ce833e55f75cfc2a9e4132e23cb13524861f
4120d2fcbfc6b08d5fd867b07f64a1ed1958f05e56aa56f129cf25be80766d40
4120d2fcbfc6b08d5fd867b07f64a1ed1958f05e56aa56f129cf25be80766d40
1ca6fe6759134514df5ff4736556144a494f23f4a2061e9e0ef6ed1979053ccf
976b41af7f261459015e815d1343ad467e7cc298307b1aa633fb68d1d7fc263d
1b6782beb4cafbc6cfc4b679c5b17bca24633507325951427891ceeb02853203
43d663a5553c5e58577167fb65f8f36af79125ce8930ba741a21f80cbc181244
43d663a5553c5e58577167fb65f8f36af79125ce8930ba741a21f80cbc181244
532b52ce2d3cdd3a75e08878c287df64a4247852c3965b8c36a14b92602e8253
4160264095cc8c347933ee6287573a7e4e2e257f4ce20a909761947538ae4418
af5cf804f7ad94962f3e21ba87b92d4d0ad49144a4def5139a3c08d494bb00ab
5cb85bc54e1783d65ddfcd57be23aa4d3dbd6befb2ff8aa6b08f0b570d6532e1
24d6e1889ee1806ec74f893217cbe21544faae9bcb35986c02de10e71830b059
aaf61f3234b60b98641035fba6998e9a8e6d9ad00a02affe207f8f1db51da801
b5d317e1e10e46a30480e34fd318f19d723f844dccc794af207c086e75065abb
7bfbc8202b8cdbdcc597a0e789240f0dc0b0e94fa6597e576eaf436bc6223e18
81b2bd4ea98c8db66554fbc8d7637a1a69a130f331feb732b75caab4c4868fd5
9360126418bb05ee819aac167dce4635a842a1dcf2a10f70cf0150db97cbaae8
1932b311b1efd851535c6cc931673138d4027135b055c15e25910f115d1cc77c
9360126418bb05ee819aac167dce4635a842a1dcf2a10f70cf0150db97cbaae8
80d1a5734ce97908c944906f9cd57a9a124f51ab340cfe3e3c4afbd9b83af3d7
6b986478518c2f6eb57fe3392212540408979ae5b0de5c83b46637cc0e6958de
8f11196cc9aac95afddb7609e7a34ddbb35524792f1e34a51c2e760471684b2c
e7b142c77467f03d550d7d12a6bce56c13bcaf1dc27feb53cca2899e1023c344

The dig did not seem to work either (?)
dig +short c6585e8d613d96037b7ea92f62f129e52ca2b5081b293c8e453cef1dbc3c7fb9.hash.cymru.com TXT

dig: ‘c6585e8d613d96037b7ea92f62f129e52ca2b5081b293c8e453cef1dbc3c7fb9.hash.cymru.com’ is not a legal IDNA2008 name (domain label longer than 63 characters), use +noidnin

Regards,
meep

Thanks - if you enter that hash in the MHR web interface there are no hits. Essentially Zeek is using MHR as an API (through DNS though) and if there are no hits from MHR, you won’t see a notice.log. You may try some actual malware or testing for which above UI provides hits, too.

dig: ‘c6585e8d613d96037b7ea92f62f129e52ca2b5081b293c8e453cef1dbc3c7fb9.hash.cymru.com’ is not a legal IDNA2008 name (domain label longer than 63 characters), use +noidnin

For sha256 you need to split up into c6585e8d613d96037b7ea92f62f129e5.2ca2b5081b293c8e453cef1dbc3c7fb9.hash.cymru.com but there aren’t results for that one either.

Hope that helps,
Arne