0

New to Zeek here, tried to follow this walkthrough to enable malware detection https://www.ericooi.com/zeekurity-zen-part-vi-zeek-file-analysis-framework/

Zeek is not detecting the malwares I have downloaded over HTTP (live capture and in pcap analysis). I understand that the MHR is enabled by default, but somehow, Zeek is not picking it up.

I've tried to ensure that file extraction works, and that the logs are picking up things - which works so far.

I've also tried to perform zeekctl stop and deploy after changing the local.zeek file as I was testing other features of zeek too.

I’ve also checked my configurations in the local.zeek file, but all looks fine - the MHR script is loaded, sha256 is also enabled and I am also able to extract files. My Zeek version is 6.0.0.

45tera
  • 11
  • 2
  • Hi there — if you have file extraction and logs working properly, then you basically have set up Zeek correctly. I think (but still need to verify) that the hostname the MHR script uses for its DNS query might have changed on the Cymru side (.malware.cymru.com vs .hash.cymru.com, as per [this](https://hash.cymru.com/docs_dns)). I'll take a closer look and follow up. – Christian Aug 28 '23 at 04:51

0 Answers0