policy/frameworks/files/detect-MHR.bro¶
-
TeamCymruMalwareHashRegistry
¶
Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
Namespace: | TeamCymruMalwareHashRegistry |
---|---|
Imports: | base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.bro |
Summary¶
Runtime Options¶
TeamCymruMalwareHashRegistry::match_file_types : pattern &redef |
File types to attempt matching against the Malware Hash Registry. |
TeamCymruMalwareHashRegistry::match_sub_url : string &redef |
The Match notice has a sub message with a URL where you can get more information about the file. |
TeamCymruMalwareHashRegistry::notice_threshold : count &redef |
The malware hash registry runs each malware sample through several A/V engines. |
Redefinitions¶
Notice::Type : enum |
Detailed Interface¶
Runtime Options¶
-
TeamCymruMalwareHashRegistry::match_file_types
¶ Type: pattern
Attributes: &redef
Default: /^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/
File types to attempt matching against the Malware Hash Registry.
-
TeamCymruMalwareHashRegistry::match_sub_url
¶ Type: string
Attributes: &redef
Default: "https://www.virustotal.com/en/search/?query=%s"
The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.
-
TeamCymruMalwareHashRegistry::notice_threshold
¶ Type: count
Attributes: &redef
Default: 10
The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.