policy/frameworks/files/detect-MHR.zeek

TeamCymruMalwareHashRegistry

Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (https://www.team-cymru.com/mhr.html).

Namespace

TeamCymruMalwareHashRegistry

Imports

base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.zeek

Summary

Runtime Options

TeamCymruMalwareHashRegistry::match_file_types: pattern &redef

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url: string &redef

The Match notice has a sub message with a URL where you can get more information about the file.

TeamCymruMalwareHashRegistry::notice_threshold: count &redef

The malware hash registry runs each malware sample through several A/V engines.

Redefinitions

Notice::Type: enum

Detailed Interface

Runtime Options

TeamCymruMalwareHashRegistry::match_file_types
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd\.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url
Type

string

Attributes

&redef

Default

"https://www.virustotal.com/gui/search/%s"

The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.

TeamCymruMalwareHashRegistry::notice_threshold
Type

count

Attributes

&redef

Default

10

The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.