mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 23:28:20 +00:00
69afc4a882
These cases should be avoidable by fixing scripts where they occur and they can also help catch typos that would lead to unintentional runtime behavior. Adding this already revealed several scripts where a field in an inlined record was never removed after a code refactor.
44 lines
1.5 KiB
Text
44 lines
1.5 KiB
Text
##! Detect file downloads over HTTP that have MD5 sums matching files in Team
|
|
##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
|
|
##! By default, not all file transfers will have MD5 sums calculated. Read the
|
|
##! documentation for the :doc:base/protocols/http/file-hash.bro script to see
|
|
##! how to configure which transfers will have hashes calculated.
|
|
|
|
@load base/frameworks/notice
|
|
@load base/protocols/http
|
|
|
|
module HTTP;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## The MD5 sum of a file transferred over HTTP matched in the
|
|
## malware hash registry.
|
|
Malware_Hash_Registry_Match
|
|
};
|
|
|
|
## The malware hash registry runs each malware sample through several A/V engines.
|
|
## Team Cymru returns a percentage to indicate how many A/V engines flagged the
|
|
## sample as malicious. This threshold allows you to require a minimum detection
|
|
## rate (default: 50%).
|
|
const MHR_threshold = 50 &redef;
|
|
}
|
|
|
|
event log_http(rec: HTTP::Info)
|
|
{
|
|
if ( rec?$md5 )
|
|
{
|
|
local hash_domain = fmt("%s.malware.hash.cymru.com", rec$md5);
|
|
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
|
|
{
|
|
# Data is returned as "<dateFirstDetected> <detectionRate>"
|
|
local MHR_answer = split1(MHR_result, / /);
|
|
if ( length(MHR_answer) == 2 && to_count(MHR_answer[2]) >= MHR_threshold )
|
|
{
|
|
local url = HTTP::build_url_http(rec);
|
|
local message = fmt("%s %s %s", rec$id$orig_h, rec$md5, url);
|
|
NOTICE([$note=Malware_Hash_Registry_Match,
|
|
$msg=message, $id=rec$id]);
|
|
}
|
|
}
|
|
}
|
|
}
|