Skip to content

mavam/malbroro

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
__load__.bro
__load__.bro
 
 
http.bro
http.bro
 
 
mcrat.bro
mcrat.bro
 
 
miniduke.bro
miniduke.bro
 
 

Repository files navigation

malBroro

The malware Bro roasts repository contains a collection of Bro scripts for detecting malware.

Usage

Quick Start

git clone git://github.com/mavam/malbroro.git
bro -C -r trace.pcap ./malbroro
bro -i eth0 ./malbroro

Integration

Clone this script into your site directory and add

@load ./malbroro

to your local.bro.

Malware

Tested

This list of scripts has received unit-testing with a PCAP trace of the exploit.

  • miniduke.bro: detects Miniduke C&C traffic by looking for a HTTP body with MIME type image/gif in reponse to a request with URIs like .*index.php?e=Rqut1NbyoQkT.

Untested

This list of scripts represents experimental scripts for which I could not yet obtain a sample trace.

  • mcrat.bro: detects McRAT C&C traffic by looking for a HTTP POST request to /59788582 with the header Content-Length: 44, Pragma: no-cache, and Host: 110.[0-9]+.55.187.

About

Malware Bro roasts

Resources

Readme
Activity

Stars

10 stars

Watchers

5 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages