Created
March 15, 2016 12:01
-
-
Save markuskont/c503f7a1dd728f849e0e to your computer and use it in GitHub Desktop.
BRO script for checking file sha checksums
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| type Val: record { | |
| sha256_hash: string; | |
| document_name: string; | |
| }; | |
| global blacklist_hash_database = "/var/db/blacklist"; | |
| event document_exfil(description: Input::EventDescription, tpe: Input::Event, r: Val) | |
| { | |
| print fmt("Data exfiltration detected with hash %s, document %s", r$sha256_hash, r$document_name); | |
| } | |
| event file_new(f: fa_file) | |
| { | |
| Files::add_analyzer(f, Files::ANALYZER_SHA256); | |
| } | |
| event file_hash(f: fa_file, kind: string, hash: string) | |
| { | |
| if (kind == "sha256") | |
| { | |
| Input::add_event( | |
| [ | |
| $source=blacklist_hash_database, | |
| $name=hash, | |
| $fields=Val, | |
| $ev=document_exfil, | |
| $want_record=T, | |
| $config=table( | |
| ["query"] = fmt("select * from blacklisted_documents where sha256_hash='%s';", hash) | |
| ), | |
| $reader=Input::READER_SQLITE | |
| ]); | |
| } | |
| } | |
| event Input::end_of_data(name: string, source:string) | |
| { | |
| if ( source == blacklist_hash_database ) | |
| Input::remove(name); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment