<div dir="ltr">Hi Jan,<div><br></div><div>Thank you for the clarification!</div><div>I should've known a file cannot be extracted "after" the hash of the file has been calculated.</div><div>To calculate the hash of a file in the first place you'd need to analyse the file in its entirety. </div><div>Meaning after the hash has been analysed of the file it's likely at the END bit of the data stream.</div><div><br></div><div>The partial solution to extract first and verify later might be overkill on a network where thousands of files are downloaded.</div><div>Restricting it to particular data protocols such as HTTP 'only' will have less of an impact on the computational load.</div><div>I'll have to try your suggested method, thank you for the link!</div><div><br></div><div>I was wondering if the usecase of extracting after getting an intel hit on INTEL::DOMAIN and INTEL::ADDR might still work.</div><div>My assumption here is that the time between the event file_new and intel::match might be small enough to not make a difference.</div><div>As long as the function Intel::seen is called immediately during a file_new event (this might cause some dataloss).</div><div><br></div><div>I have a one more questions if you or anyone has time:</div><div>- I'd like to compare the tx_hosts seen of a file with the INTEL::ADDR, how would I go about this? (since tx_hosts is a set (still learning bro)).</div><div><br></div><div>Kind regards,</div><div>Bart</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Op vr 13 sep. 2019 om 18:03 schreef Jan Grashöfer <<a href="mailto:jan.grashoefer@gmail.com">jan.grashoefer@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Bart,<br>
<br>
On 12/09/2019 21:40, Uton Cyr wrote:<br>
> A few questions:<br>
> - Is it possible to extract a file during an Intel::match event?<br>
> ...<br>
<br>
usually the match is too late to attach the file analyzer that handles <br>
extraction. Furthermore, in a cluster setup its triggered on the <br>
manager. The simplest way to get files for intel hits is to extract all <br>
files and just preserve the ones that triggered a hit (for the poor <br>
man's approach see <br>
<a href="https://github.com/J-Gras/intel-extensions/blob/master/scripts/preserve_files.bro" rel="noreferrer" target="_blank">https://github.com/J-Gras/intel-extensions/blob/master/scripts/preserve_files.bro</a>).<br>
<br>
Jan<br>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><br>
</blockquote></div>