policy/frameworks/files/detect-MHR.bro
-
TeamCymruMalwareHashRegistry
Detect file downloads that have hash values matching files in Team
Cymru’s Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
Detailed Interface
Options
-
TeamCymruMalwareHashRegistry::match_file_types
-
/((((((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))|(^?(application\/pdf)$?))|(^?(application\/x-shockwave-flash)$?))|(^?(application\/x-java-applet)$?))|(^?(application\/jar)$?))|(^?(video\/mp4)$?)/
File types to attempt matching against the Malware Hash Registry.
-
TeamCymruMalwareHashRegistry::match_sub_url
Type: | string |
Attributes: | &redef |
Default: | "https://www.virustotal.com/en/search/?query=%s" |
The Match notice has a sub message with a URL where you can get more
information about the file. The %s will be replaced with the SHA-1
hash of the file.
-
TeamCymruMalwareHashRegistry::notice_threshold
-
The malware hash registry runs each malware sample through several
A/V engines. Team Cymru returns a percentage to indicate how
many A/V engines flagged the sample as malicious. This threshold
allows you to require a minimum detection rate.