[Bro] Bro 2.2 File Extraction (RHEL 6.5)
jonathon.s.wright at gmail.com
Wed Aug 6 13:41:43 PDT 2014
Too easy, that worked! It created the extracted files in the 'pwd'. I
checked the md5 they matched from the wireshark pcap file. I'll run another
test on a tcpdump file and verify the md5 as well.
Three questions then:
1. Can I safely assume, based on these test results, that broctl
will perform the same way as bro?
2. If so, where will broctl place the 'extracted_files' directory?
3. Lastly, whats the best way to investigate these files (I'm capturing all
exe downloads on HTTP)? For example, the directory 'extracted_files' will
be full of HTTP-blahblah names. How would I correlate those file names
to its actual file name? Is that information stored in the conn.log,
files.log, http.log, packet_filter.log, & weird.log?
Thanks for your time.
On Wed, Aug 6, 2014 at 10:17 AM, Jonathon Wright <
jonathon.s.wright at gmail.com> wrote:
> Yes it does!
> What I'm trying to do is "Verify that broctl is configured for File
> Extraction properly". My method was to test broctl by using bro on the CLI.
> Your explanation is good information.
> I'm going to try that now and update the list on results.
> On Wed, Aug 6, 2014 at 10:07 AM, Seth Hall <seth at icir.org> wrote:
>> On Aug 6, 2014, at 3:53 PM, Jonathon Wright <jonathon.s.wright at gmail.com>
>> > I verified all configuration syntax: broctl check
>> > bro -C -r my_pcap_file
>> Two separate things are going on here. Broctl is really focused around
>> running Bro on live traffic and orchestrating all of the complexity
>> involved in that. You are then separately trying to run the Bro binary on
>> a trace file and get output.
>> Your whatever.bro script is installed and ready to be used when Bro is
>> run with broctl. Since you're just running Bro directly here though, you
>> will want to load your script on the command line like this:
>> bro -C -r my_pcap_file whatever.bro
>> You could also load the full local.bro script if you want that
>> functionality too like this:
>> bro -C -r my_pcap_file local.bro whatever.bro
>> Does that explain things better?
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro