Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Change MHR notice sub message URL to a redef.

Browse source
This commit is contained in:
Vlad Grigorescu 2013-11-05 17:10:19 -05:00
parent 09779836cb
commit 8ad2ab44e2
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/policy/frameworks/files/detect-MHR.bro
View file

@ -23,6 +23,11 @@ export {
/application\/jar/ | /application\/jar/ |
/video\/mp4/ &redef; /video\/mp4/ &redef;
## The Match notice has a sub message with a URL where you can get more
## information about the file. The %s will be replaced with the SHA-1
## hash of the file.
const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef;
## The malware hash registry runs each malware sample through several ## The malware hash registry runs each malware sample through several
## A/V engines. Team Cymru returns a percentage to indicate how ## A/V engines. Team Cymru returns a percentage to indicate how
## many A/V engines flagged the sample as malicious. This threshold ## many A/V engines flagged the sample as malicious. This threshold
@ -48,7 +53,7 @@ event file_hash(f: fa_file, kind: string, hash: string)
if ( mhr_detect_rate >= notice_threshold ) if ( mhr_detect_rate >= notice_threshold )
{ {
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt("https://www.virustotal.com/en/search/?query=%s", hash); local virustotal_url = fmt(match_sub_url, hash);
NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
} }
} }