├── 1-blackhole-medfos ├── .state │ └── state.bst ├── EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap.zip ├── EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap └── extract_files │ ├── extract-HTTP-8h4CEnzWVpd │ ├── extract-HTTP-9DZzr2t6rca │ ├── extract-HTTP-B5VLBTWL2M4 │ ├── extract-HTTP-EYRuegc351j │ ├── extract-HTTP-Jx2pLBrkGU1 │ ├── extract-HTTP-KTF9vZvF9Fk │ ├── extract-HTTP-PCVlPQK4kml │ ├── extract-HTTP-bUG8g702mG4 │ ├── extract-HTTP-dRKffE8yGab │ ├── extract-HTTP-f52iWRyx5pb │ ├── extract-HTTP-llupeDct72j │ ├── extract-HTTP-omXTvOP4k0h │ ├── extract-HTTP-vsO6TnLnfX7 │ └── extract-HTTP-y7HXeiTTz3j ├── 2-blackhole_v2-2012-09 ├── .state │ └── state.bst ├── EK_Blackholev2_2012-09.pcap └── extract_files │ ├── extract-HTTP-4tvp5kOVqli │ ├── extract-HTTP-AWKsDAHtbx │ ├── extract-HTTP-gJHxsLy3lvd │ ├── extract-HTTP-zFxhAa6Kt6b │ └── extract-HTTP-zOJdDVXoOZ ├── 3-mswab_yayih ├── .state │ └── state.bst ├── BIN_Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03-pcap.zip └── Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap ├── 4-smokekt150 ├── .state │ └── state.bst ├── EK_Smokekt150(Malwaredontneedcoffee)_2012-09-pcap.zip ├── EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap └── extract_files │ ├── extract-HTTP-1rmw0W5kJ2k │ ├── extract-HTTP-2xgayaoh6mf │ ├── extract-HTTP-n7Y2WODl94d │ └── extract-HTTP-o99CvGaZ9pc ├── 5-tbot ├── .state │ └── state.bst └── BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap ├── 6-zeroaccess ├── .state │ └── state.bst └── BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap ├── 7-purplehaze-pihar ├── .state │ └── state.bst └── extract_files │ ├── extract-HTTP-9EcIAELxt16 │ ├── extract-HTTP-ByTyrcQjC23 │ └── extract-HTTP-Iu9fonpuCxb ├── 8-lurk ├── .state │ └── state.bst ├── BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap.zip └── BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10.pcap ├── BroExchange2013-Malware.txt ├── README.md └── solutions ├── asn-ip.bro ├── download-by-java.bro ├── extract-all-files.bro ├── extract-files.bro ├── extract-header-names-and-values.bro ├── geo-ip.bro ├── header-names-print.bro ├── identify-headers.bro ├── json-rpc.sig ├── lurk0 ├── __load__.bro ├── lurk0.bro └── lurk0.sig ├── match-headers.bro ├── mining.bro └── zeroaccess ├── __load__.bro ├── zeroaccess.bro └── zeroaccess.sig /1-blackhole-medfos/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/.state/state.bst -------------------------------------------------------------------------------- /1-blackhole-medfos/EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap.zip -------------------------------------------------------------------------------- /1-blackhole-medfos/EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-8h4CEnzWVpd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-8h4CEnzWVpd -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-9DZzr2t6rca: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-9DZzr2t6rca -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-B5VLBTWL2M4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-B5VLBTWL2M4 -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-EYRuegc351j: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-EYRuegc351j -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-Jx2pLBrkGU1: -------------------------------------------------------------------------------- 1 | 404 Not Found -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-KTF9vZvF9Fk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-KTF9vZvF9Fk -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-PCVlPQK4kml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-PCVlPQK4kml -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-bUG8g702mG4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-bUG8g702mG4 -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-dRKffE8yGab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-dRKffE8yGab -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-f52iWRyx5pb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-f52iWRyx5pb -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-llupeDct72j: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-llupeDct72j -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-omXTvOP4k0h: -------------------------------------------------------------------------------- 1 | 404 Not Found -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-vsO6TnLnfX7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-vsO6TnLnfX7 -------------------------------------------------------------------------------- /1-blackhole-medfos/extract_files/extract-HTTP-y7HXeiTTz3j: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/1-blackhole-medfos/extract_files/extract-HTTP-y7HXeiTTz3j -------------------------------------------------------------------------------- /2-blackhole_v2-2012-09/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/2-blackhole_v2-2012-09/.state/state.bst -------------------------------------------------------------------------------- /2-blackhole_v2-2012-09/EK_Blackholev2_2012-09.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/2-blackhole_v2-2012-09/EK_Blackholev2_2012-09.pcap -------------------------------------------------------------------------------- /2-blackhole_v2-2012-09/extract_files/extract-HTTP-4tvp5kOVqli: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/2-blackhole_v2-2012-09/extract_files/extract-HTTP-4tvp5kOVqli -------------------------------------------------------------------------------- /2-blackhole_v2-2012-09/extract_files/extract-HTTP-AWKsDAHtbx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/2-blackhole_v2-2012-09/extract_files/extract-HTTP-AWKsDAHtbx -------------------------------------------------------------------------------- /2-blackhole_v2-2012-09/extract_files/extract-HTTP-gJHxsLy3lvd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/2-blackhole_v2-2012-09/extract_files/extract-HTTP-gJHxsLy3lvd -------------------------------------------------------------------------------- /2-blackhole_v2-2012-09/extract_files/extract-HTTP-zFxhAa6Kt6b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/2-blackhole_v2-2012-09/extract_files/extract-HTTP-zFxhAa6Kt6b -------------------------------------------------------------------------------- /2-blackhole_v2-2012-09/extract_files/extract-HTTP-zOJdDVXoOZ: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/2-blackhole_v2-2012-09/extract_files/extract-HTTP-zOJdDVXoOZ -------------------------------------------------------------------------------- /3-mswab_yayih/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/3-mswab_yayih/.state/state.bst -------------------------------------------------------------------------------- /3-mswab_yayih/BIN_Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03-pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/3-mswab_yayih/BIN_Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03-pcap.zip -------------------------------------------------------------------------------- /3-mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/3-mswab_yayih/Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap -------------------------------------------------------------------------------- /4-smokekt150/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTR|. -------------------------------------------------------------------------------- /4-smokekt150/EK_Smokekt150(Malwaredontneedcoffee)_2012-09-pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/4-smokekt150/EK_Smokekt150(Malwaredontneedcoffee)_2012-09-pcap.zip -------------------------------------------------------------------------------- /4-smokekt150/EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/4-smokekt150/EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap -------------------------------------------------------------------------------- /4-smokekt150/extract_files/extract-HTTP-1rmw0W5kJ2k: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/4-smokekt150/extract_files/extract-HTTP-1rmw0W5kJ2k -------------------------------------------------------------------------------- /4-smokekt150/extract_files/extract-HTTP-2xgayaoh6mf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/4-smokekt150/extract_files/extract-HTTP-2xgayaoh6mf -------------------------------------------------------------------------------- /4-smokekt150/extract_files/extract-HTTP-n7Y2WODl94d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/4-smokekt150/extract_files/extract-HTTP-n7Y2WODl94d -------------------------------------------------------------------------------- /4-smokekt150/extract_files/extract-HTTP-o99CvGaZ9pc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/4-smokekt150/extract_files/extract-HTTP-o99CvGaZ9pc -------------------------------------------------------------------------------- /5-tbot/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/5-tbot/.state/state.bst -------------------------------------------------------------------------------- /5-tbot/BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/5-tbot/BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap -------------------------------------------------------------------------------- /6-zeroaccess/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/6-zeroaccess/.state/state.bst -------------------------------------------------------------------------------- /6-zeroaccess/BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/6-zeroaccess/BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap -------------------------------------------------------------------------------- /7-purplehaze-pihar/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/7-purplehaze-pihar/.state/state.bst -------------------------------------------------------------------------------- /7-purplehaze-pihar/extract_files/extract-HTTP-9EcIAELxt16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/7-purplehaze-pihar/extract_files/extract-HTTP-9EcIAELxt16 -------------------------------------------------------------------------------- /7-purplehaze-pihar/extract_files/extract-HTTP-ByTyrcQjC23: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/7-purplehaze-pihar/extract_files/extract-HTTP-ByTyrcQjC23 -------------------------------------------------------------------------------- /7-purplehaze-pihar/extract_files/extract-HTTP-Iu9fonpuCxb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/7-purplehaze-pihar/extract_files/extract-HTTP-Iu9fonpuCxb -------------------------------------------------------------------------------- /8-lurk/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/8-lurk/.state/state.bst -------------------------------------------------------------------------------- /8-lurk/BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/8-lurk/BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap.zip -------------------------------------------------------------------------------- /8-lurk/BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/8-lurk/BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10.pcap -------------------------------------------------------------------------------- /BroExchange2013-Malware.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/BroExchange2013-Malware.txt -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/README.md -------------------------------------------------------------------------------- /solutions/asn-ip.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/asn-ip.bro -------------------------------------------------------------------------------- /solutions/download-by-java.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/download-by-java.bro -------------------------------------------------------------------------------- /solutions/extract-all-files.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/extract-all-files.bro -------------------------------------------------------------------------------- /solutions/extract-files.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/extract-files.bro -------------------------------------------------------------------------------- /solutions/extract-header-names-and-values.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/extract-header-names-and-values.bro -------------------------------------------------------------------------------- /solutions/geo-ip.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/geo-ip.bro -------------------------------------------------------------------------------- /solutions/header-names-print.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/header-names-print.bro -------------------------------------------------------------------------------- /solutions/identify-headers.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/identify-headers.bro -------------------------------------------------------------------------------- /solutions/json-rpc.sig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/json-rpc.sig -------------------------------------------------------------------------------- /solutions/lurk0/__load__.bro: -------------------------------------------------------------------------------- 1 | @load ./lurk0.bro 2 | -------------------------------------------------------------------------------- /solutions/lurk0/lurk0.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/lurk0/lurk0.bro -------------------------------------------------------------------------------- /solutions/lurk0/lurk0.sig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/lurk0/lurk0.sig -------------------------------------------------------------------------------- /solutions/match-headers.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/match-headers.bro -------------------------------------------------------------------------------- /solutions/mining.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/mining.bro -------------------------------------------------------------------------------- /solutions/zeroaccess/__load__.bro: -------------------------------------------------------------------------------- 1 | @load ./zeroaccess.bro 2 | -------------------------------------------------------------------------------- /solutions/zeroaccess/zeroaccess.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/zeroaccess/zeroaccess.bro -------------------------------------------------------------------------------- /solutions/zeroaccess/zeroaccess.sig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LiamRandall/BroMalware-Exercise/HEAD/solutions/zeroaccess/zeroaccess.sig --------------------------------------------------------------------------------