Skip to content

The Malware Hash Registry and Bro IDS

Jump to bottom Edit New page
sethhall edited this page Sep 12, 2010 · 2 revisions

About
-

This is a set of experimental patches and a Bro policy script that will enable
an analyst to inspect HTTP file transfers in realtime and build MD5 sums, then
subsequently compare those MD5 sums (again in realtime) with Team Cymru’s
Malware Hash Registry (MHR) through their DNS interface.

If an executable file is identified as being included in the MHR, the
HTTP_Malware notice is raised.

A very sincere thanks goes to Team Cymru for making this data publicly
available and for creating such easy interfaces to access the data.

Malware Hash Registry

INSTALLATION
-————-

You could skip the beginning of the instructions and just apply the patches if you’re working from an existing code base. The only requirement is that you must be using version 1.4+ of Bro.

wget ftp://bro-ids.org/bro-1.4-release.tar.gz
tar xzvf bro-1.4-release.tar.gz
cd bro-1.4/
git clone git://github.com/sethhall/bro_scripts.git
patch -p0 < bro_scripts/md5_hash_malware/md5-incremental.patch
patch -p0 < bro_scripts/md5_hash_malware/http-identified-files.patch
# Make sure that the configure script tells you that libmagic is available
./configure --prefix=/usr/local/bro1.4
make
sudo make install
sudo cp bro_scripts/md5_hash_malware/http-cymru-malware-hash.bro /usr/local/bro1.4/share/bro/

As an example of how to run Bro once everything is installed (sniffing interface em0)…

/usr/local/bro1.4/bin/bro -i em0 http-cymru-malware-hash
Add a custom footer
Add a custom sidebar
Clone this wiki locally