[Bro] Extracted files not being archived

Aashish SHARMA init.conf at gmail.com
Tue Feb 26 10:27:08 PST 2013


For the time being, I extract the files into a different directory - extracted files will be written to these folders and would persist restarts.  

in your local.bro: 

redef SMTP::extraction_prefix = "/data/bro/smtp-extract/smtp-entity" &redef;
redef HTTP::extraction_prefix = "/data/bro/http-extract/http_item" &redef; 

Needless to mention, you need to create the two directories smtp-extract and http-extract. 

You should be grep on the extracted filename in the rotated log files to get more detailed information about the connection etc. 

Hope this helps, 

Aashish 

On Feb 26, 2013, at 7:38 AM, Seth Hall <seth at icir.org> wrote:

> 
> On Feb 26, 2013, at 9:18 AM, "Hester, Carl" <Carl.Hester at constellation.com> wrote:
> 
>> While working through the file-extraction demo posted by @hectaman (http://www.youtube.com/watch?v=-7p3yLHxug4), I noticed my http-item_* files would go missing whenever I stopped the bro processes.  It looks like files are properly written to bro/spool/bro, but not rotated or archived. 
> 
> Ah!  Now your twitter posts make sense.  Unfortunately we don't support file extraction very well when run with BroControl.  *Technically* we should be writing them out to some directory other than the spool directory, but honestly I'm not ever sure how this might interact with log rotation (although log rotation for non-logging framework files should be disabled anyway).
> 
> This is an area that you might have a bit of a hard time getting anyone to focus on right now because we're going to be ripping out most of the code that Liam pointed out in his video in the coming weeks and replacing the functionality with the in-development file analysis framework.
> 
> Probably not a very satisfying answer for you right now, but it is what it is. :)  If you tell us more about what you're trying to accomplish we may be able to figure out some easy way for you to get it working though.
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list