[Discussion] Just one question

Thu Mar 19 15:34:14 UTC 2009

On 19.03.2009, at 08:22, Matt Jonkman wrote:

> In order to hash and have an md5 to compare the engine would have to
> grab and reconstruct the binary. I'm scared of the impact that'd have.

Bro can already do that for HTTP traffic:

"- The new analysis script http-identified-files.bro identifies the  
type of items returned by Web servers using libMagic (if available)  
and generates notices for interesting types and mismatches between  
URLs and types (Seth Hall). You configure it using two variables.  
watched_mime_types is a pattern (default /application\/x-dosexec/ | / 
application\/x-executable/ ) for which any MIME type matching the  
pattern generates a HTTP_WatchedMIMEType notice. mime_types_extensions  
is a table mapping strings to patterns specifying how URLs for the  
given MIME type should appear. (Ideally, this would be a table mapping  
patterns to patterns, but Bro doesn't currently support that.) It  
defaults to: ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL] 
[lL])/ i.e., do Windows executables end in .exe or .dll. You can also  
redef the pattern ignored_urls to specify URLs that should not  
generate complaints. It defaults to matching Windows Update.
- The new script http-extract-items.bro extracts the items from HTTP  
traffic into individual files (Vern Paxson). Files are named:  
<prefix>.<n>.<orig-addr>_<orig-port>.<resp-addr>_<resp-port>.<is-orig>  
where <prefix> is a redef'able prefix (default: "http-item"), <n> is a  
number uniquely identifying the item, the next four are describe the  
connection tuple, and <is-orig> is "orig" if the item was transferred  
from the originator to the responder, "resp" otherwise."
Taken from the changelog (http://bro-ids.org/wiki/index.php/Version_1.4)
Seth Hall is using that in production, perhaps he can report in the  
performance impact.

Cheers,
   Thorsten