policy/frameworks/files/detect-MHR.bro

TeamCymruMalwareHashRegistry

Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).

Namespace:TeamCymruMalwareHashRegistry Imports:base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.bro Source File:/scripts/policy/frameworks/files/detect-MHR.bro

Summary

Options

TeamCymruMalwareHashRegistry::match_file_types: pattern &redef	File types to attempt matching against the Malware Hash Registry.
TeamCymruMalwareHashRegistry::match_sub_url: string &redef	The Match notice has a sub message with a URL where you can get more information about the file.
TeamCymruMalwareHashRegistry::notice_threshold: count &redef	The malware hash registry runs each malware sample through several A/V engines.

Redefinitions

Notice::Type: enum

Detailed Interface

Options

TeamCymruMalwareHashRegistry::match_file_types

Type:pattern Attributes:&redef Default:

/((((((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))|(^?(application\/pdf)$?))|(^?(application\/x-shockwave-flash)$?))|(^?(application\/x-java-applet)$?))|(^?(application\/jar)$?))|(^?(video\/mp4)$?)/

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url

Type:string Attributes:&redef Default:"https://www.virustotal.com/en/search/?query=%s"

The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.

TeamCymruMalwareHashRegistry::notice_threshold

Type:count Attributes:&redef Default:10

The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.