Using Bro's file extraction script


I am using Bro in Doug Burke’s Security Onion Suite.

I was wondering if there is a way to have the Bro script that extracts executables to also send the executables to my firewall’s API?

Example of the API command that might be included into the Bro script:

curl -i -k -vv -F apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -F file=@/nsm/bro/extracted/HTTP-FEQ4PS1wXd5LAgG3I4.exe

Taking this one step further:

Make the script verify the executables’ file hashes before sending them into the API (to prevent checking the exact same exe twice).

Any feedback would be greatly appreciated!

Samson Hille

IT Security Analyst

You can pretty much do whatever you’d like w/the extraction stuff.

Here’s something I wrote that uses curl to check the virustotal API

There’s no reason you can’t reference the extracted file and curl it elsewhere.

We actually did something similar, we just wrote an external script to call (instead of just curl) to keep track of hashes and then do the submit, etc… it works nicely. The biggest challenge was getting something to keep track of the hashes to check for duplicates.