[Bro] Problem extracting files

Seth Hall seth at icir.org
Wed Nov 16 08:38:51 PST 2011


On Nov 16, 2011, at 10:54 AM, David Dorsey wrote:

> [BroControl] > print HTTP::extract_file_types
>        bro   HTTP::extract_file_types = /^?(NO_DEFAULT)$?/
> [BroControl] > 
> 
> Is there another variable I need to set?

After you added the redef, did you do the check, install, restart dance in broctl?  Brocontrol uses cached copies of the scripts so that the running scripts are only updated when you are ready with the "install" command.

Variables that you redef can also be modified at runtime with the "update" command so instead you could do check, install, update.  If you use the print command before and after you should see the change reflected.  There is a bug in the HTTP file extraction in the beta too where it only extracts an initial chunk of the file, it's fixed in the git repository already though.

Files will also be extracted to the spool/bro directory too (assuming you haven't changed your node.cfg) and I don't know how they will be handled upon file rotation.  We haven't had time to put a lot of thought to live traffic file extraction on clusters or with BroControl so behavior is a little unknown currently.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list