[Bro] Bro 2.2 File Extraction (RHEL 6.5)

Jonathon Wright jonathon.s.wright at gmail.com
Wed Aug 6 12:53:16 PDT 2014

Hey Bro List,

 I'm trying to setup the File Extraction using Bro 2.2 on a RHEL 6.5

 system and its not functioning properly (no files are being extracted

 from the pcap).

 Here is what I've tried:

 I put whatever.bro into the directory:


 I edited "local.bro" and told it to "load whatever.bro"

 I verified all configuration syntax: broctl check

 I addressed any errors (none)

 I install the script: broctl install

 Then bounced bro: broctl restart

 To test the bro file extraction capabilities, my "whatever.bro" scrip

 contains the following:


 #This produces logs only, no extracted files

     event file_new(f: fa_file)


         Files::add_analyzer(f, Files::ANALYZER_EXTRACT);



 My (produced from tcpdump) pcap contains a five minute section of

 traffic where I downloaded a few hp printer drivers to test. Wireshark

 was able to extract the files, so we know the pcap file integrity is good.

 I ran this on command line to have Bro extract the hp printer driver

 files from same pcap file:

 bro -C -r my_pcap_file

 Logs are produced in the pwd, but no extracted files.

 Any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/679e5c02/attachment.html 

More information about the Bro mailing list