policy/frameworks/files/detect-MHR.zeek¶
- TeamCymruMalwareHashRegistry¶
Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (https://www.team-cymru.com/mhr.html).
- Namespace
TeamCymruMalwareHashRegistry
- Imports
base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.zeek
Summary¶
Runtime Options¶
|
File types to attempt matching against the Malware Hash Registry. |
The Match notice has a sub message with a URL where you can get more information about the file. |
|
|
The malware hash registry runs each malware sample through several A/V engines. |
Redefinitions¶
|
Detailed Interface¶
Runtime Options¶
- TeamCymruMalwareHashRegistry::match_file_types¶
- Type
- Attributes
- Default
/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/
File types to attempt matching against the Malware Hash Registry.
- TeamCymruMalwareHashRegistry::match_sub_url¶
-
The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.
- TeamCymruMalwareHashRegistry::notice_threshold¶
-
The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.