24 Feb
2013
24 Feb
'13
7:08 p.m.
Similar to how Bro implements the detect-MHR script, I'd like to do a
lookup against a REST API for hashes on executables...I can do it easily
enough in python but...How can I do it in Bro?
I copied the detect-MHR as a template, but immedietly ran into the
questions of "how do I make an http request with Bro?" and "Will that
request now end up in my http.logs?" and "Does Bro have native abilities to
deal with JSON objects in a reasonable way?" and "What happens if I'm
getting two lines in my response: a csv style line and a JSON
"object"?"...
Obviously I have a lot to learn, and would appreciate any resourses I could
be point to for doing so... :)
Cheers,
Jesse
--
Jesse Bowling
25 Feb
25 Feb
12:57 p.m.
On Feb 24, 2013, at 10:08 PM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
Similar to how Bro implements the detect-MHR script,
I'd like to do a lookup against a REST API for hashes on executables...I can do it
easily enough in python but...How can I do it in Bro?
No, not yet. I'm hoping that for 2.2 we can get some form of active HTTP into Bro.
I have something implemented in my junk drawer repository already, but it needs a bug fix
that hasn't been merged into master yet.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
1:01 p.m.
Ah, ok...Well, sounds like it's time for me to try out that external
command script you've mentioned... :)
Cheers,
Jesse
On Mon, Feb 25, 2013 at 3:57 PM, Seth Hall <seth(a)icir.org> wrote:
On Feb 24, 2013, at 10:08 PM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
Jesse Bowling
Similar to how Bro implements the detect-MHR
script, I'd like to do a
lookup against a REST API for hashes on
executables...I can do it easily
enough in python but...How can I do it in Bro?
No, not yet. I'm hoping that for 2.2 we can get some form of active HTTP
into Bro. I have something implemented in my junk drawer repository
already, but it needs a bug fix that hasn't been merged into master yet.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
1:43 p.m.
On Feb 25, 2013, at 4:01 PM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
Ah, ok...Well, sounds like it's time for me to
try out that external command script you've mentioned... :)
The ActiveHTTP module is actually there already too (it wraps the command line curl
client). ;)
It does require the topic/jsiwek/ticket946 branch though and there may be problems with
doing lots of HTTP requests or Exec commands at runtime due to some thread clean up issues
that still exist.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
3377
days inactive
3377
days old
3 comments
2 participants
participants (2)
-
Jesse Bowling -
Seth Hall