Virustotal, Splunk, and Bro are different tools, but all aimed at monitoring and analyzing swaths of data. While all three tools are good individually, we’ve come across a decent example of using all these tools together. In a blog post, Keith Tyler told about an experiment using Virustotal’s API to search md5’s gathered from Bro logs on Splunk to suss out viruses and malware lurking in the network. Tyler does malware analysis on a regular basis and sought to ease the sifting through reams of data seeking these bugs in the system without having to grind through sweat and tears to get results.

According to Tyler, these three tools provide an amazing amount of useful information with their powers combined to make life a bit easier and connect the malware-forensic dots faster.

The experiment involved using CentOS and a limited version of Splunk, along with Python Development libraries. Also need is the registration with Virustotal to get an API key. Here’s the experiment Tyler performed:

“Once you install Splunk and have log source containing md5’s (Bro!), we configure Splunk by creating a generic Splunk app and copy over our python scripts. Next we configure the Splunk lookups and test it out. After the app is installed, import some logs containing md5’s or setup Bro and acquire them.

As the Splunk’s version of Python is bare bones, we need to create a wrapper that calls the actual script.
Next, we tell Splunk the location of the scripts and create a lookup.

Finally, we test it out and see if it works. The query to test is to call one known good md5 and pass it to the lookup script. The first part is specifying fields that are not “-” then send it to top and only gives one result back. The part we are concerned with is “lookup vtLookup md5”.

Running the search we see the new field “vt” with the response from Virustotal. When I bump of the search to return 10 responses we start seeing no response from Virustotal since our API call requests are limited.”

Tyler’s verdict was that the limitations set by Virustotal don’t make this very practical in Splunk. But a Reddit user suggested that if you agree to submit samples you find to Virustotal, they can increase the request cap and you may receive special privileges when performing the calls to the API.

So, let’s take a quick look at each of these tools and what they do.

VirusTotal

VirusTotal is a free service that analyzes suspicious files and URLs. It uses around 46 different antivirus products and scan engines to check for vulnerabilities that the user’s own antivirus solution may have missed. You can upload files up to 64 MB to check for virus and other vulnerabilities.

Splunk

Splunk is the leading provider of operational intelligence software used to monitor, report, and analyze real-time machine data as well as terabytes of historical data–located on-premise or in the cloud. Its leading product, called Splunk, helps index structured or unstructured textual machine-generated data.

Bro

Bro is a powerful network analysis framework, and is relied upon operationally in particular by many scientific environments for securing their cyber infrastructure. It targets high-performance networks and is used operationally at a variety of large sites.