## simple file type detection.
## if i had unlimited api access, i would send every single md5 to something like VirusTotal
forbidden_types = [
'text/x-bash', 'text/scriptlet', 'application/x-opc+zip',
'application/com', 'application/x-msmetafile', 'application/x-shellscript',
'text/x-sh', 'text/x-csh', 'application/x-com', 'application/x-helpfile',
'application/hta', 'application/x-bat', 'application/x-php',
'application/x-winexe', 'application/x-msdownload', 'text/x-javascript',
'application/x-msdos-program', 'application/bat', 'application/x-winhelp',
'application/vnd.ms-powerpoint', 'text/x-perl', 'application/x-javascript',
'application/x-ms-shortcut', 'application/vnd.msexcel',
'application/x-msdos-windows', 'text/x-python', 'application/x-download',
'text/javascript', 'text/x-php', 'application/exe', 'application/x-exe',
'application/x-winhlp', 'application/msword', 'application/zip'
]
from config import *
import bparser
import notifiers
for i in bparser.parseentries('http.log'):
print i['resp_mime_types']
## BroScanner:
## streaming python data analyzer for the bro network analyzer
import os, sys
import tailer
import time
import json
from config import *
import bparser
## simple alert notifier:
'''
import notifiers
for i in bparser.parseentries('notice.log'):
print i
notifiers.notify(i['msg'])
'''
## simple json parser
for i in bparser.parseentries(sys.argv[1]):
print json.dumps(i)
## simple file type detection.
## if i had unlimited api access, i would send every single md5 to something like VirusTotal
forbidden_types = ['text/x-bash', 'text/scriptlet', 'application/x-opc+zip', 'application/com', 'application/x-msmetafile', 'application/x-shellscript', 'text/x-sh', 'text/x-csh', 'application/x-com', 'application/x-helpfile', 'application/hta', 'application/x-bat', 'application/x-php', 'application/x-winexe', 'application/x-msdownload', 'text/x-javascript', 'application/x-msdos-program', 'application/bat', 'application/x-winhelp', 'application/vnd.ms-powerpoint', 'text/x-perl', 'application/x-javascript', 'application/x-ms-shortcut', 'application/vnd.msexcel', 'application/x-msdos-windows', 'text/x-python', 'application/x-download', 'text/javascript', 'text/x-php', 'application/exe', 'application/x-exe', 'application/x-winhlp', 'application/msword', 'application/zip']
from config import *
import bparser
import notifiers
for i in bparser.parseentries('files.log'):
if not i['local_orig'] or i['mime_type'] in forbidden_types: ## scan all of these types
print
print "{} downloaded a file from {} via {}".format(i['rx_hosts'],i['tx_hosts'],i['source'])
print "Filename: {} length: {} mime type: {}".format(i['filename'],i['total_bytes'],i['mime_type'])
print "MD5: {} SHA1: {}".format(i['md5'],i['sha1'])
## simple file type detection.
## if i had unlimited api access, i would send every single md5 to something like VirusTotal
forbidden_types = ['text/x-bash', 'text/scriptlet', 'application/x-opc+zip', 'application/com', 'application/x-msmetafile', 'application/x-shellscript', 'text/x-sh', 'text/x-csh', 'application/x-com', 'application/x-helpfile', 'application/hta', 'application/x-bat', 'application/x-php', 'application/x-winexe', 'application/x-msdownload', 'text/x-javascript', 'application/x-msdos-program', 'application/bat', 'application/x-winhelp', 'application/vnd.ms-powerpoint', 'text/x-perl', 'application/x-javascript', 'application/x-ms-shortcut', 'application/vnd.msexcel', 'application/x-msdos-windows', 'text/x-python', 'application/x-download', 'text/javascript', 'text/x-php', 'application/exe', 'application/x-exe', 'application/x-winhlp', 'application/msword', 'application/zip']
from config import *
import bparser
import notifiers
for i in bparser.parseentries('http.log'):
print i['resp_mime_types']
