[Bro] File extraction and archive files

Parker, Jonathan E. jep at g-c-i.net
Fri Apr 25 07:23:17 PDT 2014


I've been tasked to find files with a specific "signature" in the file header, where the file will be within an archive of files.  This needs to be agnostic of the protocol that transported the archive file.

I'm thinking the way to do this is to use the new File Analysis framework.  Does Bro provide a mechanism to "automagically" extract the contents of an archive when it is an archive file that is being extracted from a protocol, or is this something I'm going to have to script myself?  How can I know that a file has been fully received such that I can begin my analysis?

Thanks - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140425/3c7a2704/attachment.html 


More information about the Bro mailing list