detect-MHR.bro¶

TeamCymruMalwareHashRegistry¶

Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).

Namespace:	TeamCymruMalwareHashRegistry
Imports:	base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.bro

Summary¶

Runtime Options¶

`TeamCymruMalwareHashRegistry::match_file_types`: `pattern` `&redef`	File types to attempt matching against the Malware Hash Registry.
`TeamCymruMalwareHashRegistry::match_sub_url`: `string` `&redef`	The Match notice has a sub message with a URL where you can get more information about the file.
`TeamCymruMalwareHashRegistry::notice_threshold`: `count` `&redef`	The malware hash registry runs each malware sample through several A/V engines.

Redefinitions¶

Notice::Type: enum

Detailed Interface¶

Runtime Options¶

TeamCymruMalwareHashRegistry::match_file_types¶

Type:	`pattern`
Attributes:	`&redef`
Default:

/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url¶

Type:	`string`
Attributes:	`&redef`
Default:	`"https://www.virustotal.com/en/search/?query=%s"`

The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.

TeamCymruMalwareHashRegistry::notice_threshold¶

Type:	`count`
Attributes:	`&redef`
Default:	`10`

The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.