Hey all
So quick question, from the notice log:
1363973380.007453 5L7Bsj0Y8dj x.x.x.x 36237 206.169.145.206 80 tcp HTTP::MD5 x.x.x.x 88c48daab78eee9f856c8bff2141f09b http://r3---sn-ufuxaxjvh-v53e.c.pack.google.com/edgedl/toolbar/t7/data/7.4.3607.2246/GoogleToolbarInstaller_updater_signed.exe?ms=nvh&mv=u&mt=1363972912&ir=1&cms_redirect=yes 88c48daab78eee9f856c8bff2141f09b x.x.x.x 206.169.145.206 80 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - - - -
What's this telling me? Usually there's something like Invalid Cert or something like that in the notice.log to tell me why it hit, just wasn't seeing the reason here. Thank you.
James
I *hate* that notice and it will be going away in the 2.2 release. The notice type is HTTP::MD5 in that line. It's a hold over from how I implemented file hashing originally back in 2007 or so. It should never have made it into a Bro release (let alone two!).
.Seth
( A notice for binaries on the network is a subjective decision but I think it was not as bad an idea Seth. )
I think back in the day when md5 sum calculation was new feature in bro, this notice merely tells you the fact that binaries (and other mime types of choice) traversing through the network and here is its md5
We found this useful in notice log was for post processing because:
1) Searches were much faster in notice log for known bad md5 compared to http.log due to smaller size of notice logs.
2) Also this provided an easy search string HTTP::MD5 (or SMTP:MD5) to grep on (just a preference)
2) Post processing for HTTP::MD5 allowed us to make a white list of known binaries that we serve from our network and flag if there is a new binary being hosted by us. This was useful to find things like accidental shares open (eg. C:/ is word readable ) or if bad guys are using a webserver to host malware.
Off course, now with input framework we can feed bad md5s into bro realtime etc, but still post-processing of some nature in useful and needed.
Aashish
( A notice for binaries on the network is a subjective decision but I think it was not as bad an idea Seth. )
I'm saying the implementation was bad on my part. It just shouldn't be a notice.
Off course, now with input framework we can feed bad md5s into bro realtime etc, but still post-processing of some nature in useful and needed.
The file analysis framework is going to affect all of your points and generally I think it will make all of them nicer and more consistent.
.Seth
Thanks for the responses gents..helps me out
James