[Bro] Extracted files not being archived
seth at icir.org
Tue Feb 26 07:38:33 PST 2013
On Feb 26, 2013, at 9:18 AM, "Hester, Carl" <Carl.Hester at constellation.com> wrote:
> While working through the file-extraction demo posted by @hectaman (http://www.youtube.com/watch?v=-7p3yLHxug4), I noticed my http-item_* files would go missing whenever I stopped the bro processes. It looks like files are properly written to bro/spool/bro, but not rotated or archived.
Ah! Now your twitter posts make sense. Unfortunately we don't support file extraction very well when run with BroControl. *Technically* we should be writing them out to some directory other than the spool directory, but honestly I'm not ever sure how this might interact with log rotation (although log rotation for non-logging framework files should be disabled anyway).
This is an area that you might have a bit of a hard time getting anyone to focus on right now because we're going to be ripping out most of the code that Liam pointed out in his video in the coming weeks and replacing the functionality with the in-development file analysis framework.
Probably not a very satisfying answer for you right now, but it is what it is. :) If you tell us more about what you're trying to accomplish we may be able to figure out some easy way for you to get it working though.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro