-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathvt_check.zeek
52 lines (47 loc) · 1.38 KB
/
vt_check.zeek
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Version 1.0 (May 2019)
#
# Authors: Zer0d0y@天御实验室 ([email protected])
#
# Copyright (c) 2019, 天御[攻防]实验室.
# All rights reserved.
# Licensed under the BSD 3-Clause license.
#
# 支持Zeek Version v2.6.x
# Modified by hardenedlinux <2019-09-09 Mon>
@load base/frameworks/notice
@load frameworks/files/hash-all-files
@load ./virustotal.zeek
@load ./known_hash.zeek
module VirusTotal;
export {
redef enum Notice::Type += {
Match
};
## Number of positive AV hits to do the Match notice.
const hits_to_notice = 10 &redef;
## We want to check virustotal for files of the following types.
const match_file_types = /application\/x-dosexec/ | /application\/x-executable/ &redef;
}
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind == "sha1" && f$info?$mime_type
&& match_file_types in f$info$mime_type ) {
if ( hash !in Known::hashes ) {
when ( local info = VirusTotal::scan_hash(f, hash) ) {
if ( |info$hits| < hits_to_notice )
break;
local downloader: addr = 0.0.0.0;
for ( host in f$info$rx_hosts ) {
# Pick a receiver host to use here (typically only one anyway)
downloader = host;
}
NOTICE([
$note=VirusTotal::Match,
$msg=fmt("VirusTotal match on %d AV engines hit by %s", |info$hits|, downloader),
$sub=info$permalink,
$n=|info$hits|,
$src=downloader]);
}
}
}
}