Generator ID: 1; Sig. ID: 30881 - (MALWARE-OTHER dns request with long host name segment.)

[Jeffrey Hilgers]

Hello,
I have been receiving a few of these alerts:

Generator ID: 1; Sig. ID: 30881
"MALWARE-OTHER dns request with long host name segment"

The packet information shows the following:

9cd93b42d6203a4a7cbf46b995ab232fae900b19 malware.hash.cymru.com


I just wanted to confirm but, is this Security Onion running hash checks against the online database to verify whether or not a file is known to be malware or not?

[Doug Burks]

Hi Jeff,

Yes, Bro does DNS requests to Team Cymru's Malware Hash Registry. 

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Jeffrey Hilgers]

Awesome, thanks Doug.

[Jeffrey Hilgers]

Doug,
I am in the military and we are using Security Onion is a particular environment where I can't allow things to attempt to beacon out to the internet. Is there a way I can temporarily disable the hash lookups in Security Onion that is going out to the Team Cymru's Malware Hash Registry service?

[Liam Randall]

Hey Jeff,

If you would like to disable the Team Cymru lookup you can:

1. Edit your /opt/bro/share/bro/site/local.bro (you will need to sudo):

sudo nano -w /opt/bro/share/bro/site/local.bro  (or use vi or what ever)

2. Look for the line that enables the script:

# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR

3. Disable the script (comment it out with a #):

# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
#@load frameworks/files/detect-MHR

4. Save local.bro

5. at the shell:

sudo broctl check (verify your bro config is ok)
sudo broctl install (install your config and set it up to run)
nsm_sensor_ps-restart --only-bro 

       **or**

           sudo broctl restart (restart bro to take the new settings)*

* If you are all the way up to date w/ your SO patches Doug has added the ability to restart Bro as a non root user; from a previous thread:

"If you restart Bro with "sudo broctl restart", this will restart Bro
as root.  To restart Bro as a non-root user, please use "sudo
nsm_sensor_ps-restart --only-bro" instead (this also takes care of the
"broctl install").

http://blog.securityonion.net/2015/01/new-nsmsetupsostat-packages.html

"

V/r,

Liam Randall

[Jeffrey Hilgers]

Liam,
Thank you for the quick response! Is there one of these scripts for MD5 hashes that needs to be disabled too, or are only the SHA1 hashes being sent out and verified?

[Liam Randall]

No, that is the only one.

You can inspect the source of the script here:

less /opt/bro/share/bro/policy/frameworks/files/detect-MHR.bro

The only other script in your local.bro that would pivot out would be the ICSI SSL Notary; which is disabled by default.  You would have had to enable it manually:

# Uncomment the following line to check each SSL certificate hash against the ICSI
# certificate notary service; see http://notary.icsi.berkeley.edu .
# @load protocols/ssl/notary

After a restart, you can check all of the bro scripts that have been loaded by looking at:

less /nsm/bro/logs/current/loaded_scripts.txt

Thanks,

Liam

On Sat, Feb 7, 2015 at 4:35 PM, Jeffrey Hilgers <jeff.w....@gmail.com> wrote:

Liam,
     Thank you for the quick response!  Is there one of these scripts for MD5 hashes that needs to be disabled too, or are only the SHA1 hashes being sent out and verified?