[Discussion] Just one question

• Previous message (by thread): [Discussion] Just one question
• Next message (by thread): [Discussion] Just one question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 18, 2009, at 2:30 PM, John Johnson wrote:

>  There is a post about a new exec going around on the sigs list. I
> downloaded a
>  copy, yup, not flagged by clamav.  Wouldn't it really be nice to have
> a list of md5sum
>  objects that could be a trigger?  I don't mind if it can't be  
> blocked,
> but it sure would
>  be nice to say - it came from this IP at this time.


We've been doing this for quite a while with Bro based on the Team  
Cymru Malware Hash Registry (at least for files transferred over HTTP)  
by doing a DNS query after each md5 sum that we collect when we  
identify windows executables.  It's nice because we don't have to  
maintain a list of md5 sums since we're doing the lookups over DNS.

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

• Previous message (by thread): [Discussion] Just one question
• Next message (by thread): [Discussion] Just one question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]