[Bro] Bro 2.2 File Extraction (RHEL 6.5)

Jonathon Wright jonathon.s.wright at gmail.com
Wed Aug 6 13:41:43 PDT 2014


Too easy, that worked! It created the extracted files in the 'pwd'. I
checked the md5 they matched from the wireshark pcap file. I'll run another
test on a tcpdump file and verify the md5 as well.

Three questions then:
1. Can I safely assume, based on these test results, that broctl
will perform the same way as bro?
2. If so, where will broctl place the 'extracted_files' directory?
3. Lastly, whats the best way to investigate these files (I'm capturing all
exe downloads on HTTP)? For example, the directory 'extracted_files' will
be full of HTTP-blahblah names. How would I correlate those file names
to its actual file name? Is that information stored in the conn.log,
files.log, http.log, packet_filter.log,  & weird.log?

Thanks for your time.

JW


On Wed, Aug 6, 2014 at 10:17 AM, Jonathon Wright <
jonathon.s.wright at gmail.com> wrote:

> Yes it does!
>
> What I'm trying to do is "Verify that broctl is configured for File
> Extraction properly". My method was to test broctl by using bro on the CLI.
> Your explanation is good information.
>
> I'm going to try that now and update the list on results.
>
>
> On Wed, Aug 6, 2014 at 10:07 AM, Seth Hall <seth at icir.org> wrote:
>
>>
>> On Aug 6, 2014, at 3:53 PM, Jonathon Wright <jonathon.s.wright at gmail.com>
>> wrote:
>>
>> > I verified all configuration syntax: broctl check
>> >
>> >  bro -C -r my_pcap_file
>>
>> Two separate things are going on here.  Broctl is really focused around
>> running Bro on live traffic and orchestrating all of the complexity
>> involved in that.  You are then separately trying to run the Bro binary on
>> a trace file and get output.
>>
>> Your whatever.bro script is installed and ready to be used when Bro is
>> run with broctl.  Since you're just running Bro directly here though, you
>> will want to load your script on the command line like this:
>>
>>         bro -C -r my_pcap_file whatever.bro
>>
>> You could also load the full local.bro script if you want that
>> functionality too like this:
>>
>>         bro -C -r my_pcap_file local.bro whatever.bro
>>
>> Does that explain things better?
>>
>>   .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/9479bb0e/attachment.html 


More information about the Bro mailing list