detect-MHR.zeek

TeamCymruMalwareHashRegistry

Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (https://www.team-cymru.com/mhr.html).

Namespace: TeamCymruMalwareHashRegistry
Imports: base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.zeek

Summary

Runtime Options

`TeamCymruMalwareHashRegistry::match_file_types`: `pattern` `&redef`	File types to attempt matching against the Malware Hash Registry.
`TeamCymruMalwareHashRegistry::match_sub_url`: `string` `&redef`	The Match notice has a sub message with a URL where you can get more information about the file.
`TeamCymruMalwareHashRegistry::notice_threshold`: `count` `&redef`	The malware hash registry runs each malware sample through several A/V engines.

Redefinitions

Notice::Type: enum

TeamCymruMalwareHashRegistry::Match: The hash value of a file transferred over HTTP matched in the malware hash registry.

Detailed Interface

Runtime Options

TeamCymruMalwareHashRegistry::match_file_types 

Type

pattern

Attributes

&redef

Default

/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd\.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url 

Type: string
Attributes: &redef
Default: "https://www.virustotal.com/gui/search/%s"

The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.

TeamCymruMalwareHashRegistry::notice_threshold 

Type: count
Attributes: &redef
Default: 10

The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.