[Bro] Filenames not extracted in files.log

Seth Hall seth at icir.org
Tue Apr 29 20:08:57 PDT 2014

On Apr 29, 2014, at 5:49 PM, Bob Probert <bruisebrotherprobert at gmail.com> wrote:

> After looking at an aggregate 30 days of files.log in Splunk, I noticed that 98% of the files identified by Bro have no filenames associated with them. 

It's because 98% of files transferred over the internet have no reliable name associated with them. :)

Since most of the "files" in your files.log are http content and with HTTP there is a mechanism for transferring a file name along with the data (content-disposition header) it's a pretty bad idea to trust anything in the url as a file name.  You would end up with lots of "files" being transferred named "index.php" and "index.asp" which I don't think you want either.  We heavily tend toward conservatism in cases where an incorrect interpretation could arise.

All of that said, this is something that you could write an extension script to add to your files.log if you really want it.  I'll leave it as an exercise to you to write the script though. ;)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140429/69018e04/attachment.bin 

More information about the Bro mailing list