From 85d8653bce626f566791b051d73ac8daa5e7bee0 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 6 Nov 2013 15:58:24 -0600 Subject: [PATCH] Update docs and tests for a recent change to detect-MHR.bro --- doc/scripting/index.rst | 4 ++-- .../output | 7 ++++++- .../output | 5 +++++ .../output | 2 +- ...de-scripts_policy_frameworks_files_detect-MHR_bro.btest | 7 ++++++- ...-scripts_policy_frameworks_files_detect-MHR_bro@3.btest | 5 +++++ ...-scripts_policy_frameworks_files_detect-MHR_bro@4.btest | 2 +- 7 files changed, 26 insertions(+), 6 deletions(-) diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index c6b479a7af..16ca6b6d58 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -66,7 +66,7 @@ are ensuring the Files framework, the Notice framework and the script to hash al been loaded by Bro. .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro - :lines: 10-31 + :lines: 10-36 The export section redefines an enumerable constant that describes the type of notice we will generate with the Notice framework. Bro @@ -87,7 +87,7 @@ Up until this point, the script has merely done some basic setup. With the next the script starts to define instructions to take in a given event. .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro - :lines: 33-57 + :lines: 38-62 The workhorse of the script is contained in the event handler for ``file_hash``. The :bro:see:`file_hash` event allows scripts to access diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output index 9f05c43669..aa4509513f 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output @@ -27,6 +27,11 @@ export { /application\/jar/ | /video\/mp4/ &redef; + ## The Match notice has a sub message with a URL where you can get more + ## information about the file. The %s will be replaced with the SHA-1 + ## hash of the file. + const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef; + ## The malware hash registry runs each malware sample through several ## A/V engines. Team Cymru returns a percentage to indicate how ## many A/V engines flagged the sample as malicious. This threshold @@ -52,7 +57,7 @@ event file_hash(f: fa_file, kind: string, hash: string) if ( mhr_detect_rate >= notice_threshold ) { local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash); + local virustotal_url = fmt(match_sub_url, hash); NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); } } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output index 92f077de7d..30c6b1040e 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output @@ -18,6 +18,11 @@ export { /application\/jar/ | /video\/mp4/ &redef; + ## The Match notice has a sub message with a URL where you can get more + ## information about the file. The %s will be replaced with the SHA-1 + ## hash of the file. + const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef; + ## The malware hash registry runs each malware sample through several ## A/V engines. Team Cymru returns a percentage to indicate how ## many A/V engines flagged the sample as malicious. This threshold diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output index 57d2d7ee50..64ef286c39 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output @@ -20,7 +20,7 @@ event file_hash(f: fa_file, kind: string, hash: string) if ( mhr_detect_rate >= notice_threshold ) { local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash); + local virustotal_url = fmt(match_sub_url, hash); NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); } } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest index 9f05c43669..aa4509513f 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest @@ -27,6 +27,11 @@ export { /application\/jar/ | /video\/mp4/ &redef; + ## The Match notice has a sub message with a URL where you can get more + ## information about the file. The %s will be replaced with the SHA-1 + ## hash of the file. + const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef; + ## The malware hash registry runs each malware sample through several ## A/V engines. Team Cymru returns a percentage to indicate how ## many A/V engines flagged the sample as malicious. This threshold @@ -52,7 +57,7 @@ event file_hash(f: fa_file, kind: string, hash: string) if ( mhr_detect_rate >= notice_threshold ) { local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash); + local virustotal_url = fmt(match_sub_url, hash); NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); } } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest index 92f077de7d..30c6b1040e 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest @@ -18,6 +18,11 @@ export { /application\/jar/ | /video\/mp4/ &redef; + ## The Match notice has a sub message with a URL where you can get more + ## information about the file. The %s will be replaced with the SHA-1 + ## hash of the file. + const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef; + ## The malware hash registry runs each malware sample through several ## A/V engines. Team Cymru returns a percentage to indicate how ## many A/V engines flagged the sample as malicious. This threshold diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest index 57d2d7ee50..64ef286c39 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest @@ -20,7 +20,7 @@ event file_hash(f: fa_file, kind: string, hash: string) if ( mhr_detect_rate >= notice_threshold ) { local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash); + local virustotal_url = fmt(match_sub_url, hash); NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); } }