├── CIF
    └── domain-malware.intel
├── README.md
├── sample1
    └── sample1.pcap
├── sample2
    ├── .state
    │   └── state.bst
    └── sample2.pcap
├── sample3
    ├── .state
    │   └── state.bst
    └── sample3.pcap
├── sample4
    ├── .state
    │   └── state.bst
    └── sample4.pcap
└── scripts
    └── extract-all.bro


/README.md:
--------------------------------------------------------------------------------
 1 | Bro-samples
 2 | ===========
 3 | 
 4 | Bro scripts &amp; pcap samples
 5 | 
 6 | Walk-through the samples using Bro IDS and CIF at Open Security Research:
 7 | http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html
 8 | 
 9 | References:
10 | 
11 | Catching “bayas” on the Wire: Practical. Kung-Fu to detect Malware Traffic. SANS EU Forensic Summit:
12 | http://digital-forensics.sans.org/summit-archives/Prague_Summit/Catching_Bayas_on_the_wire_Ismael_Valenzuela.pdf
13 | 
14 | Liam Randall’s samples, exercises and scripts:
15 | https://github.com/LiamRandall
16 | 
17 | Toolsmith: Collective Intelligence Framework:
18 | http://holisticinfosec.blogspot.com.es/2012/07/toolsmith-collective-intelligence.html
19 | 
20 | The Bro Network Security Monitor:
21 | http://www.bro.org/index.html
22 | 
23 | Malware dumps and pcaps:
24 | http://contagiodump.blogspot.com.es
25 | 
26 | Collective Intelligence Framework:
27 | https://code.google.com/p/collective-intelligence-framework/
28 | 
29 | Security Onion:
30 | http://blog.securityonion.net
31 | 
32 | Remnux:
33 | http://zeltser.com/remnux/
34 | 
35 | by Ismael Valenzuela (@aboutsecurity)
36 | 
37 | 
38 | 


--------------------------------------------------------------------------------
/sample1/sample1.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aboutsecurity/Bro-samples/08f66921f938237b07c6076d5876c2e99cc17378/sample1/sample1.pcap


--------------------------------------------------------------------------------
/sample2/.state/state.bst:
--------------------------------------------------------------------------------
1 | BRST S�


--------------------------------------------------------------------------------
/sample2/sample2.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aboutsecurity/Bro-samples/08f66921f938237b07c6076d5876c2e99cc17378/sample2/sample2.pcap


--------------------------------------------------------------------------------
/sample3/.state/state.bst:
--------------------------------------------------------------------------------
1 | BRST S�


--------------------------------------------------------------------------------
/sample3/sample3.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aboutsecurity/Bro-samples/08f66921f938237b07c6076d5876c2e99cc17378/sample3/sample3.pcap


--------------------------------------------------------------------------------
/sample4/.state/state.bst:
--------------------------------------------------------------------------------
1 | BRST S+�


--------------------------------------------------------------------------------
/sample4/sample4.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aboutsecurity/Bro-samples/08f66921f938237b07c6076d5876c2e99cc17378/sample4/sample4.pcap


--------------------------------------------------------------------------------
/scripts/extract-all.bro:
--------------------------------------------------------------------------------
1 | event file_new(f: fa_file)
2 |         {
3 |                 Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
4 |         }
5 | 


--------------------------------------------------------------------------------