Change MHR notice sub message URL to a redef.

2025-10-05 08:08:19 +00:00 · 2013-11-05 17:10:19 -05:00 · 2013-11-05 17:10:19 -05:00 · 8ad2ab44e2
commit 8ad2ab44e2
parent 09779836cb
1 changed files with 6 additions and 1 deletions
--- a/scripts/policy/frameworks/files/detect-MHR.bro
+++ b/scripts/policy/frameworks/files/detect-MHR.bro
@ -23,6 +23,11 @@ export {
 	                         /application\/jar/ |
 	                         /video\/mp4/ &redef;

+	## The Match notice has a sub message with a URL where you can get more
+	## information about the file. The %s will be replaced with the SHA-1
+	## hash of the file.
+	const match_sub_url = "https://www.virustotal.com/en/search/?query=%s" &redef;
+
 	## The malware hash registry runs each malware sample through several
 	## A/V engines.  Team Cymru returns a percentage to indicate how
 	## many A/V engines flagged the sample as malicious. This threshold
@ -48,7 +53,7 @@ event file_hash(f: fa_file, kind: string, hash: string)
 				if ( mhr_detect_rate >= notice_threshold )
 					{
 					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
-					local virustotal_url = fmt("https://www.virustotal.com/en/search/?query=%s", hash);
+					local virustotal_url = fmt(match_sub_url, hash);
 					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
 					}
 				}