# bro-sandworm

**Repository Path**: December2015/bro-sandworm

## Basic Information

- **Project Name**: bro-sandworm
- **Description**: Detection scripts for Sandworm APT
- **Primary Language**: Standard ML
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-07-27
- **Last Updated**: 2020-12-19

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

Bro Module for iSIGHT Partners Sandworm Report
==============================================

This is a Bro script module for Bro 2.3.1+ that detects activity related to the sandworm report.

Installation
------------

::

	cd <prefix>/share/bro/site/
	git clone git://github.com/hosom/bro-sandworm.git Sandworm
	echo "@load Sandworm" >> local.bro
	
Configuration
-------------

There is no configuration necessary.

Output
-------------

This module will output two types of output. The first type consists of Intel alerts in intel.log and Intel::HIT notices in notice.log. The second is a notice for Signatures::Sensitive_Signature, referencing the URI seen. 


Example Output
-------------

::

	1413461520.464836       Cbsqf2wPT386DSa56       10.246.50.4     64147   66.35.59.249    80      -       -	-       tcp     Signatures::Sensitive_Signature 10.246.50.4: Sandworm URI       /YXJyYWtpczAy/dlfkjasdlfkja.php	10.246.50.4     66.35.59.249    80      -       bro     Notice::ACTION_LOG      3600.000000     F	-       -       -       -       -