[Bro] File carving

Seth Hall seth at icir.org
Thu Sep 5 09:14:57 PDT 2013

On Sep 5, 2013, at 11:38 AM, Antonio Nappa <jeppojeps at gmail.com> wrote:

> to carve jar files from pcaps, the problem is that if I manually carve a file from wireshark the size and the hash of this file are different from the ones that I get if I use bro. What is funny is that in the http.log I get the right md5 of the jar file, but then if I use the md5sum utility on the file extracted with bro they don't match

There is some problem with doing file extraction in 2.1 that pops up from time to time.  I don't think there is anyone that is totally clear what the problem is and we've completely revamped file handling for 2.2.  The video where I discuss file handling in the upcoming 2.2 release was just released today and there are some exercises available too.

Video: http://security.ncsa.illinois.edu/BroExchange2013/Hall-File_Analysis-NCSA%20DSS%20H264%201.25Mbps.mp4
Exercises: http://bro.org/bro-exchange-2013/exercises/faf.html


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130905/6762e333/attachment.bin 

More information about the Bro mailing list