From 1aeb52ae4692bfc3d0a2804b093ac5be1ee89f8f Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sat, 3 Nov 2012 12:09:11 -0400 Subject: [PATCH] Add detection rate threshold for MHR. --- scripts/policy/protocols/http/detect-MHR.bro | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/policy/protocols/http/detect-MHR.bro b/scripts/policy/protocols/http/detect-MHR.bro index a0e3cb50fb..76c53506fc 100644 --- a/scripts/policy/protocols/http/detect-MHR.bro +++ b/scripts/policy/protocols/http/detect-MHR.bro @@ -15,6 +15,12 @@ export { ## malware hash registry. Malware_Hash_Registry_Match }; + + ## The malware hash registry runs each malware sample through several A/V engines. + ## Team Cymru returns a percentage to indicate how many A/V engines flagged the + ## sample as malicious. This threshold allows you to require a minimum detection + ## rate (default: 50%). + const MHR_threshold = 50 &redef; } event log_http(rec: HTTP::Info) @@ -22,10 +28,11 @@ event log_http(rec: HTTP::Info) if ( rec?$md5 ) { local hash_domain = fmt("%s.malware.hash.cymru.com", rec$md5); - when ( local addrs = lookup_hostname(hash_domain) ) + when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { - # 127.0.0.2 indicates that the md5 sum was found in the MHR. - if ( 127.0.0.2 in addrs ) + # Data is returned as " " + local MHR_answer = split1(MHR_result, / /); + if ( length(MHR_answer) == 2 && to_count(MHR_answer[2]) >= MHR_threshold) { local url = HTTP::build_url_http(rec); local message = fmt("%s %s %s", rec$id$orig_h, rec$md5, url);