Hi,
I’m trying to write a script that after checking on virus total the hash of a file will block it if malicious.
I run a ruby script that checks the hash against virus total and return 0 if not malicious and more if not.
I have looked into the documentation but I can’t figure out how to block a file once I know it’s malicious…
Do I need an external tool?
Thanks
Giorgio Apuzzo
giorgio.apuzzo@gmail.com
Hello Giorgio,
Since Bro works completely passively, and is not an in-line component, Bro
itself cannot block a file. By the time that Bro can calculate the file
hash, the whole file already will have been transferred to the client who
was downloading it. You can just do an after-the-fact reporting.
You could potentially use the NetControl framework (in master, will be
part of 2.5) to block future network connections of the hosts.
I hope this helps,
Johanna