Bro -- Malware Hash Registry

[Vincent]

In local.bro, I currently have the following configuration line:

redef Notice::emailed_types += {
SSH::Interesting_Hostname_Login,
HTTP::Malware_Hash_Registry_Match
};

I know the email alerts are working, as I have received notification from matches to SSH::Interesting_Hostname_Login. However, I don't know if the latter option, HTTP::Malware_Hash_Registry_Match, is functioning as intended.

Does this functionality of Bro work? I can see that the system is making DNS queries to the hash registry, but I want to make sure the alerting functionality is working. Is there a particular, known malicious, file that I can try downloading to see if I receive an alert?

Thanks,

Vincent

[Seth Hall]

On Jul 29, 2013, at 4:22 PM, Vincent <elusive...@gmail.com> wrote:

> Does this functionality of Bro work?

It should be working, I know of quite a few sites using that notice. Hopefully someone from the list can provide a URL.

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

[Ross Warren]

When a user hits a site with rokfonts.js in it. I get a notification:

Message: 1xx.30.x.99 ef48afd2bb7ed04ed56f6a5dc22a2f91 hxxp://www.marinelog.com/templates/rt_solarsentinel_j15/js/rokfonts.js

Connection: 1xx.30.x.99:54767 -> 199.229.227.238:80

-- Ross Warren

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Vincent]

Ross,

I'm not hashing all HTTP content, only executables. I would need to download an executable that is in the registry for my test to work.

Thanks though!

Vincent

[Seth Hall]

On Jul 29, 2013, at 9:13 PM, Vincent <elusive...@gmail.com> wrote:

> I'm not hashing all HTTP content, only executables. I would need to download an executable that is in the registry for my test to work.

Ross must be running on a relatively small network. That script has some unfortunate hold overs from decisions I made a long time ago and I assume that he is hashing every file over HTTP which automatically causes a MHR lookup for every file. This doesn't have good results on big networks and I'm sure that Team Cymru hasn't been particularly happy about get DoS'd when this happens on these big networks.

Anyway, the upcoming (soon I hope, this is taking way too long!) release has completely reworked how the MHR script works. (it's a lot better)

[Ross Warren]

Seth and Vincent,

Yes I am on a small network.  I would love to be in a position to run SO/Bro on a big network :)

Based on this conversation, Im going to remove the hash all configuration.

Thanks,

Ross Warren

-- Ross Warren

--
You received this message because you are subscribed to the Google Groups "security-onion" group.

[Seth Hall]

On Jul 30, 2013, at 8:47 AM, Ross Warren <ro...@woodhome.com> wrote:
> Based on this conversation, Im going to remove the hash all configuration.

Probably not a bad idea for now. Once we release 2.2 you'll be doing MD5 and SHA1 hashing of everything by default.

[Vincent]

Seth,

I setup a simulated test for a file that I knew would have a hit in the registry. I captured the following DNS lookup and response via TCPDump:

18:26:32.070591 IP xx.xx.xx.10.34097 > xx.xx.xx.30.53: 49831+ A? cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. (73)
18:26:32.070711 IP xx.xx.xx.10.34097 > xx.xx.xx.30.53: 23934+ AAAA? cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. (73)
18:26:32.111464 IP xx.xx.xx.30.53 > xx.xx.xx.10.34097: 49831 1/0/1 A 127.0.0.2 (100)
18:26:32.115409 IP xx.xx.xx.30.53 > xx.xx.xx.10.34097: 23934 0/1/1 (128)

I believe the response, 127.0.0.2, indicates a hit in the registry, but I never received an email alert from Bro. Any ideas on what may be wrong?

Thanks,

Vincent

[Vincent]

After performing a software update on the SO box, this is working as expected. Not sure what changed.

Thanks,

Vincent