[Bro] adding date into file extraction directory
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Jun 13 10:47:27 PDT 2013
On Jun 13, 2013, at 5:30 AM, 김희철 <hckim at narusec.com> wrote:
> I made change to local.bro to do http file extraction
> and set the saving directory to ../files/http/file-http
> problem is there is to many files in the http directory
> so is there a way to make auto date directory under http
> ..files/http/today's date/file-http
> and date changes automatically.
> I used the command
> redef HTTP::extract_file_types = /application\/.*/;
> redef HTTP::extraction_prefix = "../files/http/file-http";
You can't do that by using those existing mechanisms since the extraction prefix is always a string constant at runtime and cannot change. It should be possible/easy to do in the next release when using the generic file analysis interface.
For now, what you could do is basically duplicate the code of scripts/base/protocols/http/file-extract.bro except replace usage of "extraction_prefix" with a call to your own function that returns the file prefix that you want (it would probably use something like "strftime("%Y-%m-%d", current_time()" to get the date part of it). Then change your local.bro to use your own version of the script.
More information about the Bro