Skip to content
/ bro-apt1 Public

This is a script module for Bro that encapsulates and detects activity related to the Mandiant APT1 report.

47 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sethhall/bro-apt1

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.rst
README.rst
 
 
__load__.bro
__load__.bro
 
 
apt1-certs.dat
apt1-certs.dat
 
 
apt1-fqdn.dat
apt1-fqdn.dat
 
 
apt1-md5.dat
apt1-md5.dat
 
 

Repository files navigation

Bro module for Mandiant APT1 Report

This is a script module for Bro 2.2+ that encapsulates and detects activity related to the Mandiant APT1 report.

The module is fully self-contained with the data extracted from the report. Currently it is representing the domain names and file MD5 sums included with the report appendix and the SSL certificate hashes included in a follow up blog post that Mandiant did about the report.

Installation

cd <prefix>/share/bro/site/
git clone git://github.com/sethhall/bro-apt1.git apt1
echo "@load apt1" >> local.bro

Configuration

There is no configuration necessary.

Output

This module will result in log lines in the intel.log log file and Intel::Notice notices which will be logged in the notice.log log file.

About

This is a script module for Bro that encapsulates and detects activity related to the Mandiant APT1 report.

Resources

Readme
Activity

Stars

47 stars

Watchers

15 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages