Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Malware Bro roasts
Bro
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
.gitignore
README.md
__load__.bro
http.bro
mcrat.bro
miniduke.bro

README.md

malBroro

The malware Bro roasts repository contains a collection of Bro scripts for detecting malware.

Usage

Quick Start

git clone git://github.com/mavam/malbroro.git
bro -C -r trace.pcap ./malbroro
bro -i eth0 ./malbroro

Integration

Clone this script into your site directory and add

@load ./malbroro

to your local.bro.

Malware

Tested

This list of scripts has received unit-testing with a PCAP trace of the exploit.

  • miniduke.bro: detects Miniduke C&C traffic by looking for a HTTP body with MIME type image/gif in reponse to a request with URIs like .*index.php?e=Rqut1NbyoQkT.

Untested

This list of scripts represents experimental scripts for which I could not yet obtain a sample trace.

  • mcrat.bro: detects McRAT C&C traffic by looking for a HTTP POST request to /59788582 with the header Content-Length: 44, Pragma: no-cache, and Host: 110.[0-9]+.55.187.
Something went wrong with that request. Please try again.