This is a script module for Bro 2.2+ that encapsulates and detects activity related to the Mandiant APT1 report.
The module is fully self-contained with the data extracted from the report. Currently it is representing the domain names and file MD5 sums included with the report appendix and the SSL certificate hashes included in a follow up blog post that Mandiant did about the report.
cd <prefix>/share/bro/site/ git clone git://github.com/sethhall/bro-apt1.git apt1 echo "@load apt1" >> local.bro
There is no configuration necessary.
This module will result in log lines in the intel.log log file and Intel::Notice notices which will be logged in the notice.log log file.