[Discussion] Just one question
thorsten.holz at informatik.uni-mannheim.de
Thu Mar 19 10:34:14 EST 2009
On 19.03.2009, at 08:22, Matt Jonkman wrote:
> In order to hash and have an md5 to compare the engine would have to
> grab and reconstruct the binary. I'm scared of the impact that'd have.
Bro can already do that for HTTP traffic:
"- The new analysis script http-identified-files.bro identifies the
type of items returned by Web servers using libMagic (if available)
and generates notices for interesting types and mismatches between
URLs and types (Seth Hall). You configure it using two variables.
watched_mime_types is a pattern (default /application\/x-dosexec/ | /
application\/x-executable/ ) for which any MIME type matching the
pattern generates a HTTP_WatchedMIMEType notice. mime_types_extensions
is a table mapping strings to patterns specifying how URLs for the
given MIME type should appear. (Ideally, this would be a table mapping
patterns to patterns, but Bro doesn't currently support that.) It
defaults to: ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL]
[lL])/ i.e., do Windows executables end in .exe or .dll. You can also
redef the pattern ignored_urls to specify URLs that should not
generate complaints. It defaults to matching Windows Update.
- The new script http-extract-items.bro extracts the items from HTTP
traffic into individual files (Vern Paxson). Files are named:
where <prefix> is a redef'able prefix (default: "http-item"), <n> is a
number uniquely identifying the item, the next four are describe the
connection tuple, and <is-orig> is "orig" if the item was transferred
from the originator to the responder, "resp" otherwise."
Taken from the changelog (http://bro-ids.org/wiki/index.php/Version_1.4)
Seth Hall is using that in production, perhaps he can report in the
More information about the Discussion