# @TEST-EXEC: cat %INPUT >output && btest-diff output

detect-MHR.bro

event file_hash(f: fa_file, kind: string, hash: string)
	{
	if ( kind=="sha1" && match_file_types in f$mime_type )
		{
		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
			{
			# Data is returned as "<dateFirstDetected> <detectionRate>"
			local MHR_answer = split1(MHR_result, / /);
			if ( |MHR_answer| == 2 )
				{
				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
				local mhr_detect_rate = to_count(MHR_answer[2]);

				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
				if ( mhr_detect_rate >= notice_threshold )
					{
					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
					local virustotal_url = fmt(match_sub_url, hash);
					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
					}
				}
			}
		}
	}
