I am using Bro in Doug Burke’s Security Onion Suite.
I was wondering if there is a way to have the Bro script that extracts executables to also send the executables to my firewall’s API?
Example of the API command that might be included into the Bro script:
curl -i -k -vv -F apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -F file=@/nsm/bro/extracted/HTTP-FEQ4PS1wXd5LAgG3I4.exe https://examplefirewallapi.com
Taking this one step further:
Make the script verify the executables’ file hashes before sending them into the API (to prevent checking the exact same exe twice).
Any feedback would be greatly appreciated!
IT Security Analyst