Hi there,
I need some help to obtain a MD5 hash of file. But not a file obtained from an HTTP stream. I have my own network payload I have written to disk:
f=open(payload_filename);
if (write_file(f, payload))
{
close(f);
}
in this case the file handler "f" is of type "file".
I tried adding it to an MD5 analyzer:
#Files::add_analyzer(f, Files::ANALYZER_MD5);
However this request needs a "fa_file" record, associated with a stream not a "file" handler...
Anyone can explain how can I obtain a MD5 hash from a file in disk?
Thank you!
Does any one have a method for creating metrics with bro. In regards to IT security needs: I.e. How many malware event types, violations, etc?
Ok,
Found it. Only had to use the function
md5_hash
…of the payload, not the handler.
Have you looked at Bro-statsd? If you are comfortable with Bro scripting and something like graphite or influxdb you should be able to do just about anything.
https://github.com/JustinAzoff/bro-statsd-plugin
We use Logstash to ship the our Bro logs into ElasticSearch, then we use Kibana to create all sorts of interesting dashboards related to our traffic. If you use the JSON output plugin for Bro it makes it easy because you don’t need to try to write Bro filters for Logstash to parse the logs, just pump the JSON directly into ElasticSearch. Be aware that ElasticSearch 2 doesn’t allow dots in field names, so you’ll either need to stick with the 1x branch or use Logstash filters to remove the dots.