Using Bro's file extraction script

Hille_Samson · September 2, 2014, 8:41pm

Hello!

I am using Bro in Doug Burke’s Security Onion Suite.

I was wondering if there is a way to have the Bro script that extracts executables to also send the executables to my firewall’s API?

Example of the API command that might be included into the Bro script:

curl -i -k -vv -F apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -F file=@/nsm/bro/extracted/HTTP-FEQ4PS1wXd5LAgG3I4.exe https://examplefirewallapi.com

Taking this one step further:

Make the script verify the executables’ file hashes before sending them into the API (to prevent checking the exact same exe twice).

Any feedback would be greatly appreciated!

Samson Hille

IT Security Analyst

Mike_Sconzo · September 2, 2014, 9:00pm

You can pretty much do whatever you’d like w/the extraction stuff.

Here’s something I wrote that uses curl to check the virustotal API
https://github.com/sooshie/bro-scripts/blob/master/2.2-scripts/vt_check.bro

There’s no reason you can’t reference the extracted file and curl it elsewhere.

We actually did something similar, we just wrote an external script to call (instead of just curl) to keep track of hashes and then do the submit, etc… it works nicely. The biggest challenge was getting something to keep track of the hashes to check for duplicates.

-=Mike

Topic		Replies	Views
extracting and submitting files - malware analysis Zeek	1	88	May 6, 2022
extract jar files from HTTP stream Zeek	9	83	May 6, 2022
file hashing, and virustotal api Zeek	2	169	May 6, 2022
File extraction after checking hash. Zeek	7	112	May 6, 2022
File Extraction Zeek	7	88	May 6, 2022

Using Bro's file extraction script

Related Topics