policy/frameworks/files/detect-MHR.zeek
- TeamCymruMalwareHashRegistry
Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (https://www.team-cymru.com/mhr.html).
- Namespace
TeamCymruMalwareHashRegistry
- Imports
base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.zeek
Summary
Runtime Options
|
File types to attempt matching against the Malware Hash Registry. |
The Match notice has a sub message with a URL where you can get more information about the file. |
|
|
The malware hash registry runs each malware sample through several A/V engines. |
Redefinitions
|
Detailed Interface
Runtime Options
- TeamCymruMalwareHashRegistry::match_file_types
- Type
- Attributes
- Default
/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd\.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/
File types to attempt matching against the Malware Hash Registry.
- TeamCymruMalwareHashRegistry::match_sub_url
-
The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.
- TeamCymruMalwareHashRegistry::notice_threshold
-
The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.