[Bro] extract jar files from HTTP stream

Mike Sconzo sconzo at visiblerisk.com
Mon Dec 30 10:52:23 PST 2013


As an aside, you might also add application/zip to your file extract
(Shane has it in their list) as JAR files are also Zip files.

On Mon, Dec 30, 2013 at 7:34 AM, Shane Filus <filus at psc.edu> wrote:
> On 12/29/13 2:25 PM, drum wrote:
>> Hello,
>>
>>
>> Is there a tutorial for version 2.2 of BRO? I'd like to understand how
>> can I write my own scripts to support extraction of verious files,
>> like jar. So far I tried adding "application/jar" (it was logged to
>> /nsm/bro/logs/current/files.
>> log) as mime type to /opt/bro/share/bro/file-extraction/extract.bro
>> file but it seems I have to do something else too as this change is
>> not capturing files to /nsm/bro/extracted/ directory.
> Hello,
>
>
> Check the second example under 'Adding Analysis'  for a start in file
> extraction.
> http://www.bro.org/sphinx/frameworks/file-analysis.html#adding-analysis
>
> Also, not sure how it maps to Sec Onion, but there is
> $PREFX/share/bro/base/files/extract/main.bro from a source install.
> Might be your 'extract.bro'? I don't that file name in either 2.1 or 2.2
> source trees.
>
> Used the code below to do something similar. There's probably a more
> elegant, or efficient solution, but it seems to working as expected,
> given the limited testing I've done.
>
>
> # define file extraction filters
> const match_file_source = /HTTP/ |
>               /IRC/ |
>               /IRC_DATA/ |
>               /FTP/ |
>               /FTP_DATA/ &redef;
>
> const match_file_mime =   /text\/x-perl/ |
>               /text\/x-msdos-batch/ |
>               /text\/x-java/ |
>               /application\/x-gzip/ |
>               /application\/x-bzip2/ |
>               /application\/x-dosexec/ |
>               /application\/zip/ |
>               /application\/jar/ |
>               /application\/x-tar/ |
>               /application\/x-archive/ |
>               /application\/mac-binhex40/ |
>               /application\/x-java-keystore/ |
>               /application\/x-java-jce-keystore/ |
>               /application\/x-executable/ |
>               /application\/javascript/ &redef;
>
> # add analyer to file_new event
> event file_new(f: fa_file)
>     {
>     if ( f?$mime_type &&
>         match_file_source in f$source &&
>         match_file_mime in f$mime_type )
>             Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
>        }
>
>
> Thanks,
>
>
> Shane
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
cat ~/.bash_history > documentation.txt



More information about the Bro mailing list