[Bro] File carving
seth at icir.org
Thu Sep 5 09:14:57 PDT 2013
On Sep 5, 2013, at 11:38 AM, Antonio Nappa <jeppojeps at gmail.com> wrote:
> to carve jar files from pcaps, the problem is that if I manually carve a file from wireshark the size and the hash of this file are different from the ones that I get if I use bro. What is funny is that in the http.log I get the right md5 of the jar file, but then if I use the md5sum utility on the file extracted with bro they don't match
There is some problem with doing file extraction in 2.1 that pops up from time to time. I don't think there is anyone that is totally clear what the problem is and we've completely revamped file handling for 2.2. The video where I discuss file handling in the upcoming 2.2 release was just released today and there are some exercises available too.
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130905/6762e333/attachment.bin
More information about the Bro