GitHub - kevinwilcox/bro-sccrew: Bro module for the compromise indicators provided by Symantec in their Comment Crew report

kevinwilcox / bro-sccrew Public

Notifications You must be signed in to change notification settings
Fork 1
Star 9

Bro module for the compromise indicators provided by Symantec in their Comment Crew report

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
README		README
__load__.bro		__load__.bro
data.bro		data.bro
main.bro		main.bro

Repository files navigation

Bro module for the Symantec Comment Crew Report

This module detects domain lookups for domains outlined in the Symantec Comment Crew report. A copy of that report can be found here:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf


Installation

cd <bro_dir>/share/bro/site/
git clone git://github.com/kevinwilcox/bro-sccrew.git sccrew
echo "@load sccrew" | sudo tee -a local.bro
sudo broctl check
sudo broctl update
sudo broctl restart


Notices

This module will generate alerts of the type SCCREW::Domain_Hit


Attribution

This module is a near clone of the APT1 module by Seth Hall but uses the data from the Symantec report instead of Mandiant's IOCs.

Seth's module can be found here:

http://github.com/sethhall/bro-apt1