<p>About<br />
<del>-</del>—</p>
<p>This is a set of experimental patches and a Bro policy script that will enable<br />
an analyst to inspect <span class="caps">HTTP</span> file transfers in realtime and build MD5 sums, then<br />
subsequently compare those MD5 sums (again in realtime) with Team Cymru’s <br />
Malware Hash Registry (<span class="caps">MHR</span>) through their <span class="caps">DNS</span> interface.</p>
<p>If an executable file is identified as being included in the <span class="caps">MHR</span>, the <br />
HTTP_Malware notice is raised.</p>
<p>A very sincere thanks goes to Team Cymru for making this data publicly <br />
available and for creating such easy interfaces to access the data.</p>
<p><a href="http://www.team-cymru.org/Services/MHR/">Malware Hash Registry</a></p>
<p><span class="caps">INSTALLATION</span><br />
<del>-</del>————-</p>
<p>You could skip the beginning of the instructions and just apply the patches if you’re working from an existing code base. The only requirement is that you must be using version 1.4+ of Bro.</p>
<pre>
<code>wget ftp://bro-ids.org/bro-1.4-release.tar.gz
tar xzvf bro-1.4-release.tar.gz
cd bro-1.4/
git clone git://github.com/sethhall/bro_scripts.git
patch -p0 < bro_scripts/md5_hash_malware/md5-incremental.patch
patch -p0 < bro_scripts/md5_hash_malware/http-identified-files.patch
# Make sure that the configure script tells you that libmagic is available
./configure --prefix=/usr/local/bro1.4
make
sudo make install
sudo cp bro_scripts/md5_hash_malware/http-cymru-malware-hash.bro /usr/local/bro1.4/share/bro/</code>
</pre>
<p>As an example of how to run Bro once everything is installed (sniffing interface em0)…</p>
/usr/local/bro1.4/bin/bro -i em0 http-cymru-malware-hash
2010-02-10T03:00:52-08:00
98791
the-malware-hash-registry-and-bro-ids
30647
The Malware Hash Registry and Bro-IDS
2009-01-12T12:34:28-08:00
15810