brofuzzyhashing Jan Grashfer KIT Fuzzy Hashing aka LocalitySensitive
bro-fuzzy-hashing Jan Grashöfer (KIT)
Fuzzy Hashing aka Locality-Sensitive Hashing SHA 1 Hash: Fuzzy Hash: E 74 bccc 6 a 838 c 4 faf 8454 a 3 f 4 bdea 76 b 2507 d 45 c 53686 f 67 b 0 f 242745 ea 56708 f 2623919 f 9 ebda 19 6144: 8 c. M 3 jdz. P 9 Gwz. ZZfe. Tx. Kbb 7 UD 31 Yr. O 2 o 9 m. K 9 u. VKCM+k. ZIP: 8 c. Ijew 1 lcd. Yy 2 o. UGCM+MS 6144: 8 c. M 3 jdz. P 9 Gwz. ZZfe. Tx. Kbb. OUD 31 Yr. O 2 o 9 m. K 9 u. VKCM+k. ZIP: 8 c. Ijew 1 lc. QYy 2 o. UGCM+MS
bro-fuzzy-hashing • Requirements: • TLSH library • ssdeep library (libfuzzy) • Provides same functionality as Bro’s built-in hashing: • File Analyzer • Opaque type • available as Bro package Example event file_sniff(f: fa_file, meta: fa_metadata) { Files: : add_analyzer(f, Files: : ANALYZER_SHA 1); Files: : add_analyzer(f, Files: : ANALYZER_TLSH); } event file_hash(f: fa_file, kind: string, hash: string) { print fmt("file_hash: %s", hash); } event file_fuzzy_hash(f: fa_file, kind: string, hash: string) { print fmt("file_fuzzy_hash: %s", hash); } • github. com/J-Gras/bro-fuzzy-hashing • jan. grashoefer@kit. edu
bro-fuzzy-hashing • Use cases: • Approximate file matching • Incomplete files • ¯_(ツ)_/¯ • Open questions: • Practicability • Performance Example event file_sniff(f: fa_file, meta: fa_metadata) { Files: : add_analyzer(f, Files: : ANALYZER_SHA 1); Files: : add_analyzer(f, Files: : ANALYZER_TLSH); } event file_hash(f: fa_file, kind: string, hash: string) { print fmt("file_hash: %s", hash); } event file_fuzzy_hash(f: fa_file, kind: string, hash: string) { print fmt("file_fuzzy_hash: %s", hash); } • github. com/J-Gras/bro-fuzzy-hashing • jan. grashoefer@kit. edu
- Slides: 4