mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
4fab70ecce
* vlad/topic/vladg/dns_txt_queries: Add detection rate threshold for MHR. Make sure lookup_hostname_txt isn't checking lookup_hostname's cache for answers. A couple of lookup_hostname_txt fixes. Reverting the earlier function-join during merging.
44 lines
1.5 KiB
Text
44 lines
1.5 KiB
Text
##! Detect file downloads over HTTP that have MD5 sums matching files in Team
|
|
##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
|
|
##! By default, not all file transfers will have MD5 sums calculated. Read the
|
|
##! documentation for the :doc:base/protocols/http/file-hash.bro script to see
|
|
##! how to configure which transfers will have hashes calculated.
|
|
|
|
@load base/frameworks/notice
|
|
@load base/protocols/http
|
|
|
|
module HTTP;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## The MD5 sum of a file transferred over HTTP matched in the
|
|
## malware hash registry.
|
|
Malware_Hash_Registry_Match
|
|
};
|
|
|
|
## The malware hash registry runs each malware sample through several A/V engines.
|
|
## Team Cymru returns a percentage to indicate how many A/V engines flagged the
|
|
## sample as malicious. This threshold allows you to require a minimum detection
|
|
## rate (default: 50%).
|
|
const MHR_threshold = 50 &redef;
|
|
}
|
|
|
|
event log_http(rec: HTTP::Info)
|
|
{
|
|
if ( rec?$md5 )
|
|
{
|
|
local hash_domain = fmt("%s.malware.hash.cymru.com", rec$md5);
|
|
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
|
|
{
|
|
# Data is returned as "<dateFirstDetected> <detectionRate>"
|
|
local MHR_answer = split1(MHR_result, / /);
|
|
if ( length(MHR_answer) == 2 && to_count(MHR_answer[2]) >= MHR_threshold )
|
|
{
|
|
local url = HTTP::build_url_http(rec);
|
|
local message = fmt("%s %s %s", rec$id$orig_h, rec$md5, url);
|
|
NOTICE([$note=Malware_Hash_Registry_Match,
|
|
$msg=message, $id=rec$id, $URL=url]);
|
|
}
|
|
}
|
|
}
|
|
}
|