JoeSandbox-Bro is a simple bro script which extracts files from your internet connection and analyzes them automatically on Joe Sandbox
Python Bro
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

JoeSandbox-Bro

JoeSandbox-Bro is a simple bro script which extracts files from your internet connection and analyzes them automatically on Joe Sandbox. By using this script you can fetch and detect malware payloads in HTTP, FTP and other protocols. Combined with Joe Sandbox's report and alerting features you can build with JoeSandbox-Bro a powerful IDS.

Bro extracts files between the internet and your hosts and uploads them to Joe Sandbox.

Requirements

  • Python 2.6
  • The requests library: pip install requests
  • Bro 2.5
  • The Bro package manager: pip install bro-pkg

Installation (for people familiar with Bro)

  1. Installation

     pip install requests
     bro-pkg refresh
     bro-pkg install joesecurity/Joe-Sandbox-Bro
    
  2. Configuration

    The most important settings are your api key and accepting the terms and conditions:

     # api key
     redef JoeSandbox::apikey = "YOUR API KEY";
    
     # https://jbxcloud.joesecurity.org/download/termsandconditions.pdf
     redef JoeSandbox::accept_tac = T;
    
     # for on-premise installations
     # redef JoeSandbox::apiurl = "http://example.net/joesandbox/index.php/api/";
    

Step-by-step for inexperienced users (not recommended for production environments)

  1. Install Linux. (We used Ubuntu 16.04.)

  2. Install Bro 2.5:

    https://www.bro.org/download/packages.html

  3. You need to be root for the rest of this example:

     sudo -s
    
  4. Install some software:

     pip install bro-pkg requests
    
  5. Add Bro to your path:

     export PATH="$PATH:/opt/bro/bin"
    
  6. Configure bro-pkg and download Joe-Sandbox-Bro:

     bro-pkg autoconfig
     bro-pkg install joesecurity/Joe-Sandbox-Bro
    
  7. Write a small script and save it as example.bro:

     @load Joe-Sandbox-Bro
    
     redef JoeSandbox::apikey = "YOUR_API_KEY";
     # https://jbxcloud.joesecurity.org/download/termsandconditions.pdf
     redef JoeSandbox::accept_tac = T;
    
     # optionally submit sample.txt on startup
     # event bro_init()
     #     {
     #         when (local webids = JoeSandbox::submit("sample.txt")) {
     #             print webids;
     #         }
     #     }
    
  8. Run Bro:

     bro -C -i eth0 example.bro
    

Bro now extracts all PE files it sees and uploads them to Joe Sandbox.

Alerts for malicious files

If the script is working properly, you should now setup an alert to get notified if Joe Sandbox detect a file as malicious. For this, open the alerts page in the web interface of Joe Sandbox and add a new alert. Set the XPath field to

/analysis/signaturedetections/strategy[@name='empiric']/detection[text()='MAL']

Then add e-mail addresses and finally save the alert. You will now receive alerts for all malicious analysis.

Example

During analysis in a network we were able to detect second stage downloads by Kovter:

detected kovter samples

e-mail alert for kovter

kovter http

License

The code is licensed under MIT.

Links

Author

Joe Security (@joe4security - webpage)