diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index b12330ceb4..d92314e41e 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -87,7 +87,7 @@ Up until this point, the script has merely done some basic setup. With the next the script starts to define instructions to take in a given event. .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro - :lines: 38-62 + :lines: 38-71 The workhorse of the script is contained in the event handler for ``file_hash``. The :bro:see:`file_hash` event allows scripts to access diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest index 709fea1fba..bcf6ccd309 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest @@ -39,28 +39,37 @@ export { const notice_threshold = 10 &redef; } -event file_hash(f: fa_file, kind: string, hash: string) +function do_mhr_lookup(hash: string, fi: Notice::FileInfo) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + local hash_domain = fmt("%s.malware.hash.cymru.com", hash); + + when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { - local hash_domain = fmt("%s.malware.hash.cymru.com", hash); - when ( local MHR_result = lookup_hostname_txt(hash_domain) ) + # Data is returned as " " + local MHR_answer = split1(MHR_result, / /); + + if ( |MHR_answer| == 2 ) { - # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); - if ( |MHR_answer| == 2 ) + local mhr_detect_rate = to_count(MHR_answer[2]); + + if ( mhr_detect_rate >= notice_threshold ) { local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); - local mhr_detect_rate = to_count(MHR_answer[2]); - local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); - if ( mhr_detect_rate >= notice_threshold ) - { - local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt(match_sub_url, hash); - NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); - } + local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); + local virustotal_url = fmt(match_sub_url, hash); + # We don't have the full fa_file record here in order to + # avoid the "when" statement cloning it (expensive!). + local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); + Notice::populate_file_info2(fi, n); + NOTICE(n); } } } } + +event file_hash(f: fa_file, kind: string, hash: string) + { + if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + do_mhr_lookup(hash, Notice::create_file_info(f)); + } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest index 31b94783d9..be9619fa1c 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest @@ -2,28 +2,37 @@ detect-MHR.bro -event file_hash(f: fa_file, kind: string, hash: string) +function do_mhr_lookup(hash: string, fi: Notice::FileInfo) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + local hash_domain = fmt("%s.malware.hash.cymru.com", hash); + + when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { - local hash_domain = fmt("%s.malware.hash.cymru.com", hash); - when ( local MHR_result = lookup_hostname_txt(hash_domain) ) + # Data is returned as " " + local MHR_answer = split1(MHR_result, / /); + + if ( |MHR_answer| == 2 ) { - # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); - if ( |MHR_answer| == 2 ) + local mhr_detect_rate = to_count(MHR_answer[2]); + + if ( mhr_detect_rate >= notice_threshold ) { local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); - local mhr_detect_rate = to_count(MHR_answer[2]); - local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); - if ( mhr_detect_rate >= notice_threshold ) - { - local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt(match_sub_url, hash); - NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); - } + local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); + local virustotal_url = fmt(match_sub_url, hash); + # We don't have the full fa_file record here in order to + # avoid the "when" statement cloning it (expensive!). + local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); + Notice::populate_file_info2(fi, n); + NOTICE(n); } } } } + +event file_hash(f: fa_file, kind: string, hash: string) + { + if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + do_mhr_lookup(hash, Notice::create_file_info(f)); + } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest index aff7dffff7..08661d0ea8 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest @@ -5,4 +5,4 @@ expiring-certs.bro NOTICE([$note=Certificate_Expires_Soon, $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after), $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]); + $fuid=fuid]);