I am working with BRO, trying to add the capability of malware detection using Bro.
I am already using the intel framework provided by Bro and feeding IOC data into it.
It successfully detects and logs the connection having bad IPs and domains in intel.log file.
The functionality I would like to add is to detect any malware downloaded by any of the endpoints, and for that I need some good IOC data of hashes. I searched the internet for IOCs hashes but couldn’t fine any good source for it.
Does anyone have any pointers in the same direction? or any other magic that can be used to accomplish the same purpose?
MITRE and NIST have been putting some efforts into the “Malware Attribute Enumeration and Characterization (MAEC)” standard. I haven’t done much work with it, but it’s worth looking into. They have a list of datasets at https://github.com/MAECProject/datasets.
Sending the hashes out to services like VirusTotal or Team CYMRU is another widely used option. This is all covered under the Bro File Extraction Exercise on the website (https://www.bro.org/current/exercises/faf/)
If you are trying to do this without sending any information over the internet, there are in-house implementations that are available for commercial use. Opswat Meta-defender is an example of a commercially available multi-AV platform with an API that Bro can interface with. https://www.opswat.com/metadefender-core
Hope this helps.
Have you looked at https://www.bro.org/sphinx/scripts/policy/frameworks/files/detect-MHR.bro.html ?
If I am understanding your goal, this seems to be a good fit for what you’re trying to do.
Thank you for the suggestions.
The detect-MHR.bro script is already enabled in the local.bro file, but I don’t get any
logging in notice.log file corresponding to Malware hash registry.
I looked at the script and the notice_threshold is set to 10 (10% min detection rate) which is reasonable,
but as I was analyzing a malware hash, detected by other IDS device and when checked on team cymru’s lookup: https://hash.cymru.com had 26% as detection rate, realized that there were no logs in
files.log and notice.log files corresponding to that hash.
Bro didn’t log any hash for the file transfer that transpired.
1472425280.047247 Fs9rse1xsQgD2TIADa 184.108.40.206 x.x.x.x CJFssC2o2RqHx6PJY8 HTTP 0 MD5,PE,SHA1 application/x-dosexec - 11.101799 F F 2122412 20265152 18142740 0
Also, when I checked, the Content-type reported by the IDS device was: application/x-www-form-urlencoded and guessing that maybe files with this mime-type are not hashed by bro probably.
I don’t know why I am not able to find the corresponding hash in bro logs.
Those last 3 numbers are
seen_bytes = 2122412
total_bytes = 20265152
missing_bytes = 18142740
Bro did not see 90% of the bytes of the file, it can't hash what it didn't see.
Thanks Justin for the answer.
Yeah, we realized that we were having some capture loss with our BRO sensors, it’s fixed now.
I wanted to ask that is there a framework that is available to
integrate bro with virusTotal as well, just like it uses TeamCymru’s MHR
to check the hashes against?
The issue is that we get a very low detection rate with MHR, i.e we see a good number
of hashes that are detected as malware/Trojan by other IDS devices, and same hashes when checked against
MHR by bro, we do not get any records in notice.log as they come out clean by MHR.
I realized that virusTotal has a pretty decent detection rate for those hashes.
I haven’t looked into details of the framework used to integrate BRO with MHR,
but thinking if the same can be done with virusTotal, hence wanted to confirm whether this
is something achievable using BRO or not, before diving deep into it.
Appreciate the help.